Some Facets of Complexity Theory and 
Cryptography: A Five-Lectures Tutorial 



JORG ROTHE 

Heinrich-Heine-Universitat Diisseldorf 



In this tutorial, selected topics of cryptology and of computational complexity theory are pre- 
sented. We give a brief overview of the history and the foundations of classical cryptography, 
and then move on to modern public-key cryptography. Particular attention is paid to crypto- 
graphic protocols and the problem of constructing key components of protocols such as one-way 
functions. A function is one-way if it is easy to compute, but hard to invert. We discuss the 
notion of one-way functions both in a cryptographic and in a complexity-theoretic setting. We 
also consider interactive proof systems and present some interesting zero-knowledge protocols. In 
a zero-knowledge protocol one party can convince the other party of knowing some secret infor- 
mation without disclosing any bit of this information. Motivated by these protocols, we survey 
some complexity-theoretic results on interactive proof systems and related complexity classes. 

Categories and Subject Descriptors: E.3 [Data Encryption]: Public-key Cryptosystems; F.1.3 
[Computation by Abstract Devices]: Complexity Measures and Classes — Complexity hier- 
archies; Relations among complexity classes; F.2.2 [Analysis of Algorithms and Problem 
Complexity]: Nonnumerical Algorithms and Problems — Computations on discrete structures 

General Terms: Theory, Security, Algorithms 

Additional Key Words and Phrases: complexity theory, public-key cryptography, secret-key agree- 
ment, digital signatures, interactive proof systems, zero-knowledge protocols, one-way functions 



Author's address: J. Rothe, Institut fiir Informatik, Heinrich-Heine-Universitat Diisseldorf, 40225 
Diisseldorf, Germany. Email address: rotheOcs.uni-duesseldorf .de. 

This version, which revises earlier versions of this tutorial, appears in ACM Computing Surveys, 
vol. 34, no. 4, December 2002. 

This work was supported in part by grant NSF-INT-9815095/DAAD-315-PPP-gu-ab. 
Permission to make digital/hard copy of all or part of this material without fee for personal 
or classroom use provided that the copies are not made or distributed for profit or commercial 
advantage, the ACM copyright/server notice, the title of the publication, and its date appear, and 
notice is given that copying is by permission of the ACM, Inc. To copy otherwise, to republish, 
to post on servers, or to redistribute to lists requires prior specific permission and/or a fee. 
© 20YY ACM 0000-0000/20YY/0000-0001 $5.00 

ACM Journal Name, Vol. V, No. N, Month 20YY, Pages 1-57. 



2 • Jorg Rothe 



Contents 



Outline of the Tutorial 2 

1 Cryptosystems and Perfect Secrecy 5 

1.1 Classical Cryptosystems 5 

1.2 Conditional Probability and Bayes's Theorem 8 

1.3 Perfect Secrecy: Shannon's Theorem 9 

1.4 Vernam's One- Time Pad 11 

2 RSA Cryptosystem 12 

2.1 Euler and Fermat's Theorems 12 

2.2 RSA 13 

2.3 RSA Digital Signature Protocol 17 

2.4 Security of RSA and Possible Attacks on RSA 17 

3 Protocols for Secret-Key Agreement, Public-Key Encryption, and 
Digital Signatures 22 

3.1 Diffie and Hellman's Secret-Key Agreement Protocol 23 

3.2 ElGamal's Public-Key Cryptosystem and Digital Signature Protocol 27 

3.3 Shamir's No-Key Protocol 29 

3.4 Rivest, Rabi, and Sherman's Secret-Key Agreement and Digital Sig- 
nature Protocols 30 

3.5 Discussion of Diffie-Hellman versus Rivest-Sherman 30 

4 Interactive Proof Systems and Zero-Knowledge Protocols 33 

4.1 Interactive Proof Systems 34 

4.2 Zero-Knowledge Protocols 39 

4.3 Zero-Knowledge Protocol for the Graph Isomorphism Problem ... 40 

4.4 Fiat and Shamir's Zero-Knowledge Protocol 43 

5 Strongly Noninvertible Associative One- Way Functions 45 

5.1 Definitions and Progress of Results 46 

5.2 Creating Strongly Noninvertible, Total, Commutative, Associative 

One- Way Functions from Any One- Way Function 49 

5.3 If P ^ NP then Some Strongly Noninvertible Functions are Invertible 52 



Outline of the Tutorial 

This tutorial consists of five lectures on cryptography, based on the lecture notes for 
a course on this subject given by the author in August, 2001, at the 11th Jyvaskyla 
Summer School in Jyvaskyla, Finland. As the title suggests, a particular focus 
of this tutorial is to emphasize the close relationship between cryptography and 
complexity theory. The material presented here is not meant to be a comprehensive 
study or a complete survey of (the intersection of) these fields. Rather, five vivid 
topics from those fields are chosen for exposition, and from each topic chosen, 
some gems — some particularly important, central, beautiful results — are presented. 
Needless to say, the choice of topics and of results selected for exposition is based 
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on the author's personal tastes and biases. 

The first lecture sketches the history and the classical foundations of cryptog- 
raphy, introduces a number of classical, symmetric cryptosystcms, and briefly dis- 
cusses by example the main objectives of the two opposing parts of cryptology: 
cryptography, which aims at designing secure ways of encryption, versus crypt- 
analysis, which aims at breaking existing cryptosystcms. Then, wc introduce the 
notion of perfect secrecy for cryptosystcms, which dates back to Claude Shannon's 
pioneering work [Sha49] on coding and information theory. 

The second lecture presents the public-key cryptosystem RSA, which was in- 
vented by Rivest, Shamir, and Adlcman [RSA78]. RSA is the first public-key 
cryptosystem developed in the public sector. To describe RSA, some background 
from number theory is provided in as short a way as possible but to the extent nec- 
essary to understand the underlying mathematics. In contrast to the information- 
theoretical approach of perfect secrecy, the security of RSA is based on the assump- 
tion that certain problems from number theory are computationally intractable. 
Potential attacks on the RSA cryptosystem as well as appropriate countermeasures 
against them are discussed. 

The third lecture introduces a number of cryptographic protocols, including the 

secret-key agreement protocols of Diffic and Hellman [DH76] and of Rivest and 
Sherman (see [RS93,RS97]), ElGamal's pubhc-key cryptosystem [E1G85], Shamir's 
no-key protocol, and the digital signature schemes of Rivest, Shamir, and Adle- 
man [RSA78], ElGamal [E1G85], and Rabi and Sherman [RS93,RS97], respectively 
Again, the underlying mathematics and, relatedly, security issues of these protocols 
are briefly discussed. 

A remark is in order lier(\ The protocols presented here are among the most 
central and important cryptographic protocols, with perhaps two exceptions: the 
Rivest-Sherman and the Rabi-Sherman protocols. While the secret-key agreement 
protocol of Diffic and Hellman [DH76] is widely used in practice, that of Rivest 
and Sherman (see [RS93,RS97]) is not (yet) used in applications and, thus, might 
appear somewhat exotic at first glance. An analogous comment applies to the 
Rabi-Sherman digital signature protocol. However, from our point of view, there is 
some hope that this fact, though currently true, might change in the near future. In 
Section 3.5, we will discuss the state of the art on the Diflie-Hellman protocol and 
the Rivest-Sherman protocol, and wc will argue that recent progress of results in 
complexity theory may lead to a significant increase in the cryptographic security 
and the applicability of the Rivest-Sherman protocol. One line of complexity- 
theoretic research that is relevant here is presented in Section 5; another line of 
research is Ajtai's breakthrough result [Ajt96] on the complexity of the shortest 
lattice vector problem (SVP, for short), which is informally stated in Section 3.5. 

The fourth lecture introduces interactive proof systems and zero-knowledge pro- 
tocols. This area has rapidly developed and flourished in complexity theory and has 
yielded a number of powerful results. For example, Shamir's famous result [Sha92] 
characterizes the power of interactive proof systems in terms of classical complexity 
classes: Interactive proof systems precisely capture the class of problems solvable in 
polynomial space. Also, the study of interactive proof systems is related to proba- 
bilistically checkable proofs, which has yielded novel nonapproximability results for 
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hard optimization problems; see the survey [Gol97]. Other results about interactive 
proof systems and the related zero-knowledge protocols have direct applications in 
cryptography. In particular, zero-knowledge protocols enable one party to con- 
vince another party of knowledge of some secret information without conveying 
any bit of this information. Thus, they are ideal technical tools for authentication 
purposes. We present two of the classic zero-knowledge protocols: the Goldrcich- 
Micali-Wigderson protocol for graph isomorphism [GMW86,GMW91] and the Fiat- 
Shamir protocol [FS86] that is based on a number-theoretical problem. For an in- 
depth treatment of zcro-knowlcdgc protocols and many more technical details, the 
reader is referred to Chapter 4 of Goldrcich's book [GolOlb]. 

The fifth lecture gives an overview on the progress of results that was recently 
obtained by Hemaspaandra, Pasanen, and this author [HRQQjHPR-Ol]. Their work, 

which is motivated by the Rivest-Sherman and the Rabi-Sherman protocols, stud- 
ies properties of functions that are used in building these two cryptographic proto- 
cols. It is results about these functions that may be useful in quantifying the security 
of these protocols. In particular, the key building block of the Rivest-Sherman pro- 
tocol is a strongly noninvertible, associative one-way function. Section 5 presents 
the result [HR99] on how to construct such a function from the assumption that 
P ^ NP. In addition, recent results on strong noninvertibility are surveyed, in- 
cluding the perhaps somewhat surprising result that if P 7^ NP then there exist 
strongly noninvertible functions that in fact are invertible [HPROl]. These results 
are obtained in the worst-case complexity model, which is relevant and interesting 
in a complexity-theoretic setting, but useless in applied cryptography. For cryp- 
tographic applications, one would need to construct such functions based on the 
average- case complexity model, under plausible assumptions. Hence, the most chal- 
lenging open research question related to strongly noninvertible, associative one-way 
functions is to find some evidence that they exist even in the average-case model. 
As noted above, our hope of obtaining such a result is based on recent progress 
on the shortest lattice vector problem accomplished by Ajtai [Ajt96]. Roughly 
speaking, Ajtai proved that this problem is as hard in the average-case as it is in 
the worst-case model. Based on this result, Ajtai and Dwork [AD97] designed a 
public-key cryptosystem whose security is based merely on worst-case assumptions. 
Ajtai's breakthrough results, his techniques, and their cryptographic applications 
are not covered in this tutorial. We refer to the nice surveys by Cai [Cai99] and, 
more recently, by Kumar and Sivakumar [KSOl] and Nguyen and Stern [NSOl] on 
the complexity of SVP and the use of lattices in crytography. 

The tutorial is suitable for graduate students with some background in computer 
science and mathematics and may also be accessible to interested undergraduate 
students. Since it is organized in five essentially independent, self-contained lec- 
tures, it is also possible to present only a proper subset of these lectures. The only 
dependencies occurring between lectures are that some of the number-theoretical 
background given in Section 2 is also used in Section 3, and that the Rivest- 
Sherman secret-key agreement protocol and the Rabi-Sherman digital signature 
protocol presented in Section 3 motivate the investigations in Section 5. This last 
section contains perhaps the technically most challenging material, which in part 
is presented on an expert level with the intention of guiding the reader towards an 
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active field of current research. 

There are a number of textbooks and monographs on cryptography that 
cover various parts of the field in varying depth, such as the books by Goldre- 
ich [Gol99,Gol01b], Salomaa [Sal96], Stinson [Sti95], and Welsh [Wel98]. Schneier's 
book [Sch96] provides a very comprehensive collection of literally all notions and 
concepts known in cryptography, which naturally means that the single notions 
and concepts cannot be treated in mathematical detail there, but the interested 
reader is referred to an extraordinarily large bibliography for such an in-depth 
treatment. Singh [Sin99] wrote a very charming, easy-to-read, interesting book 
about the history of cryptography from its ancient roots to its modern and even fu- 
turistic branches such as quantum cryptography. An older but still valuable source 
is Kahn's book [Kah67]. We conclude this list, without claiming it to be com- 
plete, with the books by Bauer [BauOO], Beutelspacher et al. [BSW01,Beu94], and 
Buchmann [BucOl]. 

1. CRYPTOSYSTEMS AND PERFECT SECRECY 
1.1 Classical Cryptosystems 

The notion of a cryptosystem is formally defined as follows. 
Definition 1.1 Cryptosystem. 

— A cryptosystem is a quintuple (■p,C,/C,£,I?) such that: 

(1) P, C, and /C are finite sets, where 

V is the plain text space or clear text space; 

C is the cipher text space; 

K. is the key space. 
Elements of V are referred to as plain text (or clear text), and elements of C 
are referred to as cipher text. A message is a string of plain text symbols. 

(2) £ = {Ek I k G K,} is a family of functions Ek : V ^ C that arc used for 
encryption, and V = {Dk | /c € /C} is a family of functions : C ^ V that 
are used for decryption. 

(3) For each key e e /C, there exists a key d&K such that for each p gV: 

Dd{E,{p))=p. (1.1) 

— A cryptosystem is called symmetric (or "private-key") if d = e, or if d can at 

least be "easily" computed from e. 

— A cryptosystem is called asymmetric (or "public-key") ii d ^ e, and it is "com- 
putationally infeasible in practice" to compute d from e. Here, d is the private 
key, and e is the public key. 

At times, different key spaces are used for encryption and for decryption, which 
results in a slight modification of the above definition. 

We now present and discuss some examples of classical cryptosystems. Consider 
the English alphabet S = {A, B, . . . ,Z}. To carry out the arithmetic modulo 26 
with letters as if they were numbers, we identify S with Z26 = {0, 1, . . . , 25}; thus, 
represents A and 1 represents B, and so on. This encoding of the plain text 
alphabet by integers and the decoding of Z26 back to S is not part of the actual 
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encryption and decryption, respectively. It will be used for the next three examples. 
Note that messages are elements of S*, where S* denotes the set of strings over S. 

Example 1.2 Caesar cipher, a monoalphabetic symmetric cryptosystem. 

Let /C = Z26, and let P = C = S. The Caesar cipher encrypts messages by 
shifting (modulo 26) each character of the plain text by the same number k of 
letters in the alphabet, where k is the key. Shifting each character of the cipher 
text back using the same key k reveals the original message: 

— For each e e Z26, define the encryption function : S — > S by 

E^{p) = {p + e) mod 26, 

where addition with e modulo 26 is carried out character- wise, i.e., each character 
mj G S of a message w G S* is shifted by e positions to mj + e mod 26. For 
example, using the key e = 11 = L, the message "SUMMER" will be encrypted 
as "DFXXPC." 

— For each d € Z26, define the decryption function Dd : S — * S by 

Dd{c) = {c-d) mod 26, 

where subtraction by e modulo 26 again is carried out character- wise. Hence, 
d = e. For example, decrypting the cipher text "DNSZZW" with the key d = 11 
reveals the plain text "SCHOOL." 

Since the key space is very small, breaking the Caesar cipher is very easy. It is 
vulnerable even to "cipher-text- only attacks," i.e., an attacker given enough cipher 
text c can easily check the 26 possible keys to see which one yields a meaningful 
plain text. Note that the given cipher text should contain enough letters to enable 
a unique decryption. 

The Caesar cipher is a monoalphabetic cryptosystem, since it replaces each given 
plain text letter, wherever in the message it occurs, by the same letter of the ciplicr 
text alphabet. In contrast, the French cryptographer and diplomat Blaise de Vi- 
genere (1523-1596) proposed a polyalphabetic cryptosystem, which is much harder 
to break. Vigenere's system builds on earlier work by the Italian mathematician 
Leon Battista Alberti (born in 1404), the German abbot Johannes Trithemius (born 
in 1492), and the Italian scientist Giovanni Porta (born in 1535), see [Sin99]. It 
works like the Caesar cipher, except that the cipher text letter encrypting any given 
plain text letter X varies with the position of X in the plain text. 

More precisely, one uses for encryption and decryption a Vigenere square, which 
consists of 26 rows with 26 columns each. Every row contains the 26 letters of 
the alphabet, shifted by one from row to row, i.e., the rows and columns may 
be viewed as a Caesar encryption of the English alphabet with keys 0, 1, . . ., 25. 
Given a message m € S*, one first chooses a key fc S S*, which is written above 
the message m, symbol by symbol, possibly repeating A; if A; is shorter than m imtil 
every character of m has a symbol above it. Denoting the ith letter of any string w 
by Wi, each letter m.i of rn is then encrypted as in the Caesar cipher, using the row 
of the Vigenere square that starts with ki, where ki is the key letter right above m,. 
Below, we describe the Vigenere system formally and give an example of a concrete 
encryption. 
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Example 1.3 Vigenere cipher, a poly alphabetic symmetric cryptosystem. 
For fixed n e N, let /C = P = C = Zgg. Messages m e S*, where S again is the 
English alphabet, arc split into blocks of length n and are encrypted block- wise. 

The Vigenere cipher is defined as follows. 

— For each e G Zjg, define the encryption function Ee : '^26 

Ee{p) = {p + e) mod 26, 

where addition with e modulo 26 is carried out character-wise, i.e., each character 
Pi e S of a plain text p gV is shifted by positions to pi + mod 26. 
— For each d G Zjg, define the decryption function D4 : — * '^26 by 

Dd{c) = {c-d) mod 26, 

where subtraction modulo 26 again is carried out character-wise. As in the Caesar 

cipher, d = e. 

For example, choose the word k = ENGLISH to be the key. Suppose we want to 
encrypt the message m = FINNISHISALLGREEKTOGERMANS,^ omitting the 
spaces between words. Table I shows how each plain text letter is encrypted, yield- 
ing the cipher text c. For instance, the first letter of the message, "F," corresponds 
to the first letter of the key, "E." Hence, the intersection of the "F"-column with 
the "E"-row of the Vigenere square gives the first letter, "J," of the cipher text. 



k 


ENGLISHENGLISHENGLI SHENGLI 


m 


FINNI SH I SAL LGREEKTOGERMANS 


c 


JVTYQKOMFGWTYYI RQEWYLV Z GYA 



Table I. An example of encryption by the Vigenere cipher. 



Our last example of a classical, historically important cryptosystem is the Hill 
cipher, which was invented by Lester Hill in 1929. It is based on linear algebra and, 
like the Vigenere cipher, is an affinc linear block cipher. 

Example 1.4 Hill cipher, a symmetric cryptosystem and a linear block cipher. 

For fixed n e N, the key space /C is the set of all invertible n x n matrices in 
Zjg^". Again, V = C = Z^g and messages m (E S* are split into blocks of length n 
and are encrypted block-wise. All arithmetic operations are carried out modulo 26. 

The Hill cipher is defined as follows. 

— For each K G )C, define the encryption function Ek ■ '^26 — * ^26 t>y 

Ek{p) = K-p mod 26, 
where • denotes matrix multiplication modulo 26. 

iProm this example we not only learn how the Vigenere cipher works, but also that using a 
language such as Finnish, which is not widely used, often makes illegal decryption harder, and 
thus results in a higher level of security. This is not a purely theoretical observation. During 

World War 11, the US Navy transmitted important messages using the language of the Navajos, 
a Native American tribe. The "Navajo Code" was never broken by the Japanese code- breakers, 
see [Sin99]. 
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— Letting K ^ denote the inverse matrix of K, the decryption function Dj^-i : 
^26 ^ ^26 is defined by 

Dk-^{c) = K-'^ -c mod 26. 

Since can easily be computed from K, the Hill cipher is a symmetric cryp- 

tosystem. It is also the most general linear block cipher. 

Concrete examples of messages encrypted by the Hill cipher can be found in, 
e.g., [Sal96]. 

AfRne linear block ciphers are easy to break by known-plain-text attacks," i.e., for 
an attacker who knows some sample plain texts with the corresponding encryptions, 
it is not too hard to find the key used to encrypt these plain texts. They are even 
more vulnerable to "chosen-plain-text attacks," where the attacker can choose some 
pairs of corresponding plain texts and encryptions, which may be useful if there are 
reasonable conjectures about the key used. 

The method of frequency counts is often useful for decrypting messages. It ex- 
ploits the redundancy of the natural language used for plain text messages. For 
example, in many languages the letter "E" occurs, statistically significant, most 
frequently, with a percentage of 12.31% in English, of 15.87% in French, and even 
of 18.46% in German, see [Sal96]. Some languages have other letters that occur 
with the highest frequency; for example, "A" is the most frequent letter in average 
Finnish texts, with a percentage of 12.06% [Sal96]. 

In 1863, the German cryptanalyst Friedrich Wilhelm Kasiski found a method 
to break the Vigenere cipher. Singh [Sin99] attributes this achievement also to an 
unpublished work, done probably around 1854, by the British genius and eccen- 
tric Charles Babbage. The books by Salomaa [Sal96] and Singh [Sin99] describe 
Kasiski's and Babbage's method. It marks a breakthrough in the history of crypt- 
analysis, because previously the Vigenere cipher was considered unbreakable. In 
particular, like similar periodic cryptosystems with an unknown period, the Vi- 
genere cipher appeared to resist cryptanalysis by counting and analysing the fre- 
quency of letters in the cipher text. Kasiski showed how to determine the period 
from repetitions of the same substring in the cipher text. 

In light of Kasiski's and Babbage's achievement, it is natural to ask whether there 
exist any cryptosystems that guarantee perfect secrecy. We turn to this question 
in the next section that describes some of the pioneering work of Claude Shan- 
non [Sha49], who laid the foundations of modern coding and information theory. 

1.2 Conditional Probability and Bayes's Theorenn 

To discuss perfect secrecy of cryptosystems in mathematical terms, we first need 
some preliminaries from elementary probability theory. 

Definition 1.5. Let A and B be events with Pr(B) > 0. 

— The probability that A occurs under the condition that B occurs is defined by 

^ ' ' Pr(B) 

— A and B are independent if Pr(AnB) = Pr(A) Pr(B) (equivalently, if Pr(yl | B) = 
Pr(A)). 
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Lemma 1.6 Bayes's Theorem. Let A and B be events with Vr{A) > and 
Pr(S) > 0. Then, 

Pr(B) Pt{A I B) = Pr{A) Pr(B | A). 
Proof. By definition, 

Pr(B) Pt{A I B) = Pr(^ n B) = Pr{B n A) ^ Pr{A) Pt{B \ A). 

I 

1.3 Perfect Secrecy: Shannon's Theorem 

Consider the following scenario: 




Erich 




> Bol 




Using a cryptosystem {V,C,IC, £,!)), Alice and Bob are communicating over an 
insecure channel in the presence of eavesdropper Erich. Recall that V, C, and K. are 
finite sets. Erich reads a cipher text, c € C, and tries to get some information about 
the corresponding plain text, p € V. The plain texts are distributed on V according 
to a probability distribution Pr-p that may depend on the language used. For each 
new plain text, Alice chooses a new key from /C that is independent of the plain text 
to be encrypted. The keys are distributed according to a probability distribution 
Pr;c on 1^- The distributions Pi-p and Prjc induce a probability distribution Pr = 
Pr-pxK: onV x /C. Thus, for each plain text p and each key k, 

Pr(p,/c) =Prp(p) PrK(fc) 

is the probability that the plain text p is encrypted with the key fc, where p and k 
are independent. 

Pr(p) — Pr-p(p) is the probability that the plain text p will be encrypted. Simi- 
larly, Pr{k) — Prjcik) is the probability that the key k will be used. Let c be an- 
other random variable whose distribution is determined by the system used. Then, 
Pt{p I c) is the probability that p is encrypted under the condition that c is received. 
Erich knows the cipher text c, and he knows the probability distribution Pr-p, since 
he knows the language used by Alice and Bob. 

Definition 1.7. A cryptosystem (P, C, /C, £, I?) provides perfect secrecy if and 
only if 

(Vp G V) (Vc e C) [Pr(p I c) = Pr(p)]. 
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That is, a cryptosystem achieves perfect secrecy if the event that some plain text p 
is encrypted and the event that some cipher text c is received are independent: Erich 

learns nothing about p from knowing c. The following example of a cryptosystem 
that docs not provide perfect secrecy is due to Buchmann [BucOl]. 

Example 1.8 Perfect secrecy. Let V, C, and /C be given such that: 

—P = {0, 1}, where Pr(0) = ^ and Pr(l) = |; 
—IC = {A, B}, where Pr(^) = i and Pr(S) = |; 
--{a,b}. 



It follows that, for example, the probability that a "1" occurs and is encrypted 
with the key B is: 

Pr(l, B) = Pr(l) • Pt(B) = -■- = —. 

Let the encryption functions be given by: 

Ea{0) = a; Ea{1) = b; Eb{0) = b; Eb{1) = a. 
Hence, the probability that the cipher text a occurs is: 

Pr(a) = Pr(0, A) + Pr(l, B) = 1 + 1 = | 
Similarly, the probability that the cipher text b occurs is: 

Pr(6) = Pr(l, A) + Pr(0, = 1 + A = | 
Then, for each pair (p, c) gV x C, the conditional probability Pr(p | c) is: 



Pr(a) §10' Pr(&) | 2' 

_9_ 

Pr(l|a) = ^;^7"^ = ^ = ^; Pr(l|6) = 



Pr(a) - i -10' p^(^) - 3 - 



In particular, it follows that 

Pr(0) = J^^=Pr(0|a), 

and thus the given cryptosystem does not provide perfect secrecy: If Erich sees the 
cipher text a, he can be pretty sure that the encrypted plain text was a "1." 

Theorem 1.9 Shannon [Sha49]. Let S = {V.C.K.E.V) be a cryptosystem 
with \\C\\ = ||/C|| and Pr(p) > for each p G V. Then, S provides perfect se- 
crecy if and only if 

(1) Py)c is the uniform distribution, and 

(2) for each p G V and for each c G C, there exists a unique key k G K with 
Ek{p) = c. 
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Proof. Assume that S provides perfect secrecy. We show that the conditions (1) 
and (2) hold. 

Condition (2): Fix a plain text p G V. Suppose that there is a cipher text c € C 
such that for all fc G /C, it holds that Ek{p) 7^ c- Thus, 

Pr(p) 7^0 = Pr(j9|c), 

which implies that S does not provide perfect secrecy, a contradiction. Hence, 

(VceC) (3fce/C) [Ek{p) = c]. 

Now, ||C|| = ||/C|| implies that each cipher text c G C has a unique key k with 
Ekip)=c. 

Condition (1): Fix a cipher text c E C. For p E V, let k{p) be the unique key k 
with Ek{p) — c. By Baycs's theorem, for each p G "P, we have: 

Since S provides perfect secrecy, we have Pr(p | c) = Pr(p). By Equation (1.2), this 
implies Pr(fc(p)) = Pr(c), and this equality holds independently of p. 

Hence, the probabilities Pr(fc) are equal for all k G K., which implies Pr(fc) — 
Thus, Pr;<; is the uniform distribution. 

Conversely, suppose that conditions (1) and (2) hold. We show that S provides 
perfect secrecy. Let k = k{p,c) be the unique key k with Ek{p) — c. By Bayes's 
theorem, it follows that 

Pr(p) Pr(c|p) 



Pr(p|c) 



Pr(c) 
Pr(p) VT:{k{p,c)) 



E^eT'PrW Pr(fc(?,c)) 
Since all keys are uniformly distributed, it follows that 

Pr(A;(p,c)) ^ 



(1.3) 



Moreover, we have that 

EPr(,)P,W,,c), = ?i|^ = ^. 

Substituting this equality in Equation (1.3) gives: 

Pr(p|c) = Pr(p). 

Hence, S provides perfect secrecy. | 
1.4 Vernam's One-Time Pad 

The Vernam one-time pad is a symmetric cryptosystem that does provide perfect 
secrecy. It was invented by Gilbert Vernam in 1917,^ and is defined as follows. Let 



^Slightly differing from the system described here, Vernam's actual invention was a system with 
a finite period and hence did not provide perfect secrecy; see Kahn [Kah67] on this point. 
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-p ^ C ^ K. ^ {0, 1}" for some n e N. For fc e {0, 1}", define 

— the encryption function : {0, 1}" {0, 1}" by 

Ek{p) = p® k mod 2 , and 

—the decryption function : {0, 1}" {0, 1}" by 

Dk{c)=c®k mod 2, 

where © denotes bit- wise addition modulo 2. The keys are uniformly distributed 
on {0, 1}". Note that for each plain text p a new key k is chosen from {0, 1}". 

By Shannon's Theorem, the one-time pad provides perfect secrecy, since for each 
plain text p d V and for each cipher text c € C, there exists a unique key fc e /C 
with c ^ p(S k, namely the string k = c(B P- 

However, the one-time pad has major disadvantages that make it impractical to 
use in most concrete scenarios: To obtain perfect secrecy, every key can be used only 
once, and it must be at least as long as the plain text to be transmitted. Surely, since 
for every communication a new secret key at least as long as the plain text must be 
transmitted, this results in a vicious circle. Despite these drawbacks, for the perfect 
secrecy it provides, the one-time pad has been used in real- world applications such 
as, allegedly, the hotline between Moscow and Washington, see [Sim79, p. 316]. 

2. RSA CRYPTOSYSTEM 

The RSA cryptosystem, named after its inventors Ron Rivest, Adi Shamir, and 
Leonard Adleman, is the first public- key cryptosystem [RSA78]. It is still widely 
used in cryptographic applications today. Again, the scenario is that Alice and 
Bob want to exchange messages over an insecure channel on which Erich is an 
eavesdropper: 




In order to describe how the RSA cryptosystem works, we first need some pre- 
liminaries from elementary number theory. 

2.1 Euler and Fermat's Theorems 

The greatest common divisor of two integers a and b is denoted by gcd(a, 6). For 
n e N, define the set 

= {i I 1 < i < n - 1 and gcd(i, n) = 1}. 
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The Euler Junction (p is defined by 0(n) = ||Z*||. Note that Z* is a group (with 
respect to multipHcation) of order 0(n). The following useful properties of ^ follow 
from the definition: 

— (j){m ■ n) = cf){m.) ■ (i){n) for all m, n € N with gcd(m, n) = 1, and 

— 4>{p) = p — 1 for all primes p. 

We will specifically use that = {p— l)(g — 1), where p and q are primes and 
n = pq. 

Euler's Theorem below is a special case (for the group Z*) of Langrangc's 
Theorem, which states that for each element g oi a. finite multiplicative group 
G having order |G| and the neutral element 1, it holds that fifl"^! = 1. 

Theorem 2.1 Euler. For each a e Z*, a''^^") = 1 mod n. 

The special case of Euler's Theorem with n being a prime not dividing a is known 
as Fermat's Little Theorem. 

Theorem 2.2 Fermat's Little Theorem. If p is a prime and a e Z*, then 
o^"^ = 1 mod p. 

2.2 RSA 

(1) Key generation: 

(1) Bob chooses randomly two large primes p and q with p ^ q, and computes their 
product n= pq. 

(2) Bob chooses a number e e N with 

1< e < (j){n) = {p- l){q - 1) and gcd(e, 0(n)) = 1. (2.4) 

(3) Bob computes the unique number d satisfying 

l<d< ^{n) and e-d=l mod ^{n). (2.5) 

That is, d is the inverse of e modulo 4>{n). 

(4) The pair (n, e) is Bob's public key, and d. is Bob's private key. 

In order to generate two large primes (e.g., primes with 80 digits each) efficiently, 
one can choose large numbers at random and test them for primality. Since by the 
Prime Number Theorem, the number of primes not exceeding N is approximately 
the odds of hitting a prime are good after a reasonably small number of 
trials. To verify the primality of the number picked, one usually makes use of a 
randomized polynomial-time primality test such as the Monte Carlo'^ algorithm of 
Rabin [RabSO] that is related to a deterministic algorithm due to Miller [Mil76]; 
their primality test is known as the Miller-Rabin test. An alternative, though less 
popular Monte Carlo algorithm was proposed by Solovay and Strassen [SS77] . The 

Monte Carlo algorithm is a randomized algorithm whose "yes" answers are reliable, while its 
"no" answers may be erroneous with a certain error probability, or vice versa. The corresponding 
complexity classes are called R and coR, respectively, see [Gil77]. In contrast, a Las Vegas algo- 
rithm may for certain sequences of coin flips halt without giving an answer at all, but whenever it 
gives an answer, this answer is correct. The corresponding class, ZPP = RncoR, was also defined 
by Gill [Gil77]. 
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X!jLlt^llU. S 1 Llllll 1 tlJ^liUllUcU 1 




Input: Two integers, 60 Q^nd 61. 




begin xq := 1; yo •— Oi ^^i ~ 0; yi := 1; ? 


— 1 • 


wiiiit! uj (jotJo nut Lll VlLlC yj — 1 UU 












bi+i :— — Qi ■ bi; 




Xi+i ■■= Xi-i — Qi ■ Xi; 




Vi+i —Vi-i -qi-yv, 




i:=i + l 




end 




begin output 




b:=bi; 


(* 6 = gcd(6o,&i) = 1 *) 






y ■■= yi 


(* y is the inverse of 61 mod 60 *) 


end output 




end 





Fig. 1. The extended algorithm of EucUd. 



reason why the Solovay-Strassen test is less popular than the Miller- Rabin test is 
that it is less efficient and less accurate. These two primality tests, along with a 
careful complexity analysis and the required number-theoretical background, can 
be found in, e.g., the books by Stinson [Sti95] and Salomaa [Sal96]. Additional 
primality tests are contained in [Gol01b,Buc01]. 

Note Added in Proof: Quite recently, Agrawal et al. [AKS02] designed 
a deterministic polynomial-time algorithm for primality. Their break- 
through result is a milestone in complexity theory and solves a long- 
standing open problem. It is unlikely, though, that this algorithm 
will have immediate conseqiiences for cryptographic applications, since 
Agrawal et al. [AKS02] note that their algorithm has a running time of 
roughly n^^ and thus is much less efBcient than the probabilistic primal- 
ity tests currently in use. 

We now argue that the keys can be computed efficiently. In particular, the 
inverse d of e modulo (^(n) can be computed efficiently via the extended algorithm 
of Euclid; see Figure 1. 

Lemma 2.3. On input bo = <f){n) and h\ = e, the extended algorithm of Euclid 
computes in polynomial time integers x and y such that 

X ■ (j){n) + y ■ 6 = 1 mod 0(n). 

Thus, y is the inverse of e modulo ^{n), and Bob chooses d = y mod (f){n) as his 
private key. 

Example 2.4. Bob chooses the primes p = 11 and q = 23, and computes their 
product n = 253 and 0(253) = 10 • 22 = 220. The smallest possible e satisfying 
Equation (2.4) is e = 3. The extended algorithm of Euclid yields the following 
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sequence of 6j, Xi, and yii 



i 






Ui 


Qi 





220 


1 







1 


3 





1 


73 


2 


1 


1 


-73 





Since 1-220+ (-73) -3= 220-219 ee 1 mod 220, the unique value d = -73 + 220 = 
147 computed by Bob satisfies Equation (2.5) and is the inverse of e = 3 modulo 220. 

(2) Encryption: We assume that messages over some alphabet S are block-wise 
encoded as positive integers with a fixed block length. Suppose that m < n is 
the message Alice wants to send to Bob. Alice knows Bob's public key (n, e) and 
computes the encryption c = £(„^e)(™) of m, where the encryption function is 
defined by 

-£'(n,e) ("^) = m'^ mod n. 

Performed naively, this computation may require a large number of multiplica- 
tions, depending on the choice of e. To ensure efiicient encryption, we will employ a 
"fast exponentiation" algorithm called "square-and-multiply," see Figure 2 below. 

Square-and-Multiply Algorithm 

Input: m, n, e S N, where m < n. 

Step 1. Let the binary expansion of the exponent e be given by 

k 

e = ^ ei2', where e, G {0, 1}. 
i=o 

Step 2. Successively compute m? , where < i < k, using the equality 

m = im I . 

It is not necessary to store the intermediate values of m^' . 
Step 3. In the arithmetic modulo n, compute 

k 

= Yl m^*. (2.6) 

i = 

ei=l 

Output: m*^. 



Fig. 2. The square-and-multiply algorithm. 
Equation (2.6) in Step 3 of Figure 2 is correct, since 

TO* = TO^i=o''*^' = (m^'^ ' = Yl "i^"- 

ei = l 

Hence, instead of e multiplications, Alice need compute no more than 21oge 
multiplications. Thus, the square-and-multiply method speeds up the encryption 
exponentially. 
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Example 2.5. Suppose Alice wants to compute c = 6^^ mod 100. The binary 
expansion of the exponent is 17 = 1 + 16 = 2° + 2**. 

(1) AUce successively computes: 



62" 


= 61 


= 6; 






= 62 


= 36; 






= 362 


= -4 


mod 100; 




= (-4)2 mod 100 


= 16 


mod 100; 




= 162 mod 100 


= 56 


mod 100. 



(2) Alice computes her cipher text 

c = 6" mod 100 = 6 • 62" mod 100 
= 6-56 mod 100 
= 36 mod 100. 

Note that only four squarings and one multiplication are needed for her to 
compute the cipher text. 

(3) Decryption: Let c, < c < n, be the cipher text sent to Bob; c is subject to 
eavesdropping by Erich. Bob decrypts c using his private key d and the following 
decryption function: 

Dd{c) = c'^ mod n. 

Again, the fast exponentiation algorithm described in Figure 2 ensures that the 
legal recipient Bob can decrypt the cipher text efficiently. Thus, the RSA protocol 
is feasible. To prove that it is correct, we show that Equation (1.1) is satisfied. 



Step 




lUce 




Hi 






1 






chooses large primes p, q at random, com- 
putes n = pq and <j>{n) = (p — l){q— 1), his 
pubhc key (n, e) with e satisfying Eq. (2.4), 
and his private key d satisfying Eq. (2.5) 


2 








3 


encrypts message m by 
computing 

c = m*^ mod n 






4 




c 




5 






decrypts cipher text c by computing 
m = c"^ = {m'^Y mod " 



Fig. 3. The RSA protocol. 
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Figure 3 summarizes the single steps of the RSA protocol and displays the in- 
formation communicated by Alice and Bob that is subject to eavesdropping by 
Erich. 

Theorem 2.6. Let (n, e) and d be Bob's public and private key in the RSA 
protocol. Then, for each message m with < m < n, 

m — (m*^)'* mod n. 

That is, RSA is a public-key crypto system. 

Proof. Since e ■ d = 1 mod (f){n) by Equation (2.5), there exists an integer t 
such that 

e-d=l + t{p-l){q-l), 
where n = pq. It follows that 

= m(m*(P-i)(9-i)) 
= m {mP-'f'-'^ . 

Hence, we have 

{m''f = m modp, (2.7) 

since if p divides m then both sides of Equation (2.7) are mod p, and if p does 
not divide m (i.e., gcd(p, m) = 1) then by Format's Little Theorem, we have 

miF~^ = 1 mod p. 

By a symmetric argument, it holds that 

(m^)'' = m mod q. 

Since p and q are primes with p ^ q,\t follows from the Chinese Remainder Theorem 
(see, e.g., [Knu81] or [Sti95]) that 

(m^)'^ = m mod n. 

Since m < n, the claim follows. | 

2.3 RSA Digital Signature Protocol 

The RSA public-key cryptosystem described in Section 2.2 can be modified so as 
to yield a digital signature protocol. Figure 4 shows how the RSA digital signature 
protocol works. A chosen-plain-text attack on the RSA digital signature scheme, 
and countermeasures to avoid it, are described in Section 2.4. 

2.4 Security of RSA and Possible Attacks on RSA 

The security of the RSA cryptosystem strongly depends on whether factoring large 
integers is intractable. It is widely believed that there is no efficient factoring 
algorithm, since no such algorithm could be designed as yet, despite considerable 
efforts in the past. However, it is not known whether the problem of factoring large 
integers is as hard as the problem of cracking the RSA system. 
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Step 


Alice 








BolT 


1 


chooses n = pq, hor public key 
(n, e), and her private key d as 
in the RSA protocol, see Sec- 
tion 2.2 






2 


computes her signature 

sig^(m,) = m'' mod n 
for the message m 






3 




m, sig^{m) 




4 






verifies Alice's signature by 
checking the congruence 

m = (sig^(m))'^ mod n 



Fig. 4. The RSA digital signature protocol. 



Here is a list of potential attacks on the RSA system. To preclude these direct 
attacks, some care must be taken in choosing the primes p and q, the modulus n, 
the exponent e, and the private key d. For further background on the security 
of the RSA system and on proposed attacks to break it, the reader is referred 
to [Bon99,Sha95,KR95,Moo92]. For each attack on RSA that has been proposed in 
the literature to date, some practical countermeasures are known, rules of thumb 
that prevent the success of those attacks or, at least, that make their likelihood of 
success negligibly small. 

Factoring attacks:. The aim of the attacker Erich is to use the public key {n, e) 
to recover the private key d by factoring n, i.e., by computing the primes p and q 
with n = pq. Knowing p and q, he can just like Bob compute (t>{n) = (p — l){q — 1) 
and thus the inverse d of e modulo (j){n), using the extended algorithm of Euclid; 
see Figure 1 and Lemma 2.3. There are various ways in which Erich might mount 
this type of attack on RSA. 

— Brute-force attack: Erich might try to factor the modulus n simply by exhaustive 
search of the complete key space. Choosing n sufficiently large will prevent this 
type of attack. Currently, it is recommended to use moduli n with at least 768 
bits, i.e., the size of 512 bits formerly in use no longer provides adequate pro- 
tection today. Of course, the time complexity of modular exponentiation grows 
rapidly with the modulus size, and thus there is a tradeoff between increasing 
the security of RSA and decreasing its efficiency. 

It is also generally accepted that those moduli n consisting of prime factors p 
and q of roughly the same size are the hardest to factor. 
— General-purpose factoring methods: Examples of such general factoring algo- 
rithms are the general number field sieve (see, e.g., [LL93]) or the older quadratic 
sieve (see, e.g., [Buc01,Sti95]). They are based on the following simple idea. 
Suppose n is the number to be factorized. Using the respective "sieve," one 
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determines integers a and b such that 

= iP' mod n and a ^ ±6 mod n. (2-8) 

Thus, n divides a^ — b"^ = {a — b){a + b), but neither a — 6 nor a + b. Hence, gcd(a — 
b, n) is a nontrivial factor of n. The general number field sieve and the quadratic 
sieve differ in the specific way the integers a and b satisfying Equation (2.8) are 
found. 

— Special-purpose faetoring methods: Depending on the form of the primes p and q, 
it might be argued that using special-purpose factoring methods such as Pollard's 
"p — 1 method" [Pol74] may be more effective and more successful than using 
general-purpose factoring methods. This potential threat led to the introduction 
of strong primes that resist such special-purpose factoring methods. A strong 
prime p is required to satisfy certain conditions such as that p — 1 has a large 
factor r and r — 1, in turn, has a large factor, etc. 

— Elliptic curve method: This factoring method was introduced by Lenstra [Len87], 
and it has some success probability regardless of the form of the primes cho- 
sen. Consequently, the most effective countermeasure against the elliptic curve 
method is to use primes of very large size. This countermeasure simultaneously 
provides, with a very high probability, protection against all known types of 
special-purpose factoring methods. In short, randomly chosen large primes are 
more important than strong primes. Note that weak primes are believed to be 
rare; Pomerance and Sorenson [PS95] study the density of weak primes. 

— Factoring on a quantum computer: Last, we mention that Shor's algorithm for 
factoring large numbers on a quantum computer [Sho97] poses a potential threat 
to the security of RSA and other cryptosystems whose security relies on the 
hardness of the factoring problem. More precisely, Shor's efficient quantum algo- 
rithm determines the order of a given group element, a problem closely related 
to the factoring problem. Using Miller's randomized reduction [Mil76], if one 
can efficiently compute the order of group elements, then one can efficiently solve 
the factoring problem. However, the quantum computer is a theoretical construct 
currently. Whether or not Shor's quantum factoring algorithm will be a practical 
threat remains to be seen in the future. 

Superencryption:. Early on Simmons and Norris [SN77] proposed an attack on 
RSA called superencryption. This attack is based on the observation that a suffi- 
cient number of encryptions will eventually recover the original message, since the 
RSA encryption function is an injective mapping onto a finite set, which makes the 
graph of the fimction a imion of disjoint cycles. This attack is a threat to the se- 
curity of RSA, provided that the number of encryptions required is small. Luckily, 
superencryption is not a practical attack if the primes are large and are chosen at 
random. 

Wiener's attack:. Wiener [Wie90] proposed an attack on the RSA system by a 
continued fraction approximation, using the public key (n, e) to provide sufficient 
information to recover the private key d. More precisely, Wiener proved that if 
the keys in the RSA system are chosen such that n = pq, where q < p < 2q, and 
d < I ^/n, then given the public key (n, e) with ed = 1 mod (j){n) the private key 
d can be computed in linear time. 
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Here is a proof sketch of Wiener's result (see [Bon99]). Since ed= 1 mod 4>{n), 
there exists a k such that ed— k(f>{n) = 1, which imphes that | is an approximation 
of 



e k 




1 


(j){n) d 




d4){n) 



(2.9) 



Erich does not know (f){n), but he can use n in place of 4>{n). Using ed — k(f){n) = 1 
and the easily verified fact that \n — (/'(n)| < 2>^/n, in place of Equation (2.9) we 
now have 



e k 




1 — k{n — 4>(n)) 


n d 




dn 



< 



3ky/n 



dn 



3k 
d\/n 

1 4/ 



Since k(j){n) = ed — 1 < ed and e < </»(«), we have k < d < Hence, 



< 



1 1 

d^ ^ 2d2- 



There are at most logn fractions ^ with d < n approximating ^ so tightly, and 
they can be obtained by computing the log n convergents of the continued fraction 
expansion of ^ (sec [HW79, Thm. 177]). Since ed—k(j){n) = 1, we have gcd(A;, d) = 
1, so I is a reduced fraction. 

Note that this attack is efficient and practical, and thus is a concern, only if the 
private key d is chosen to be small relative to n. For example, if n is a 1024 bits 
number, then d must be at least 256 bits long in order to prevent Wiener's attack. 
A small value of d, however, enables fast decryption and in particular is desirable 
for low-power devices such as "smartcards." Therefore, Wiener proposed certain 
techniques that avoid his attack. 

The first technique is to use a large encryption exponent, say e = e + i(j){n) for 
some large £. For a large enough e, the factor k in the above proof is so large that 
Wiener's attack cannot be mounted, regardless of how small d is. 

The second technique uses the Chinese Remainder Theorem to speed up decryp- 
tion, even if d is not small. Let d be a large decryption exponent such that both 
dp = d mod p — 1 and dq = d mod q — I are small. Then, one can decrypt a 
given cipher text c as follows. Compute rup = d^^ mod p and = d^" mod q, 
and use the Chinese Remainder Theorem to obtain the unique solution m modulo 
n = pq of the two equations m = nip mod p and m = niq mod q. The point is 
that although dp and dq are small, d can be chosen large enough to resist Wiener's 
attack. 

Boneh and Durfee [BDOO] recently improved Wiener's result: Erich can efficiently 
compute d from (n, e) provided that d < n'^'^^^. 

Small-message attack:. RSA encryption is not effective if both the message m to 
be encrypted and the exponent e to be used for encryption are small relative to the 
modulus n. In particular, if c = < n is the cipher text, then m can be recovered 
from c by ordinary root extraction. Thus, either the public exponent should be 
large or the messages should always be large. It is this latter suggestion that is 
more useful, for a small public exponent is often preferred in order to speed up the 
encryption and to preclude Wiener's attack. 

ACM Journal Name, Vol. V, No. N, Month 20YY. 



Some Facets of Complexity Theory and Cryptography • 21 

Low-exponent attack. One should take precautions, though, not to choose the 
public exponent too small. A preferred value of e that has been used often in the 
past is e = 3. However, if three parties participating in the same system encrypt 
the same message m using the same public exponent 3, although perhaps different 
moduli m, n2, and ns, then one can easily compute m from the three cipher texts: 



Cl 


= 


mod 


m 


C2 


= 


mod 


n2 


C3 


= 


mod 


n3 



In particular, the message m must be smaller than the moduli, and so will be 
smaller than n-iUin^- Using the Chinese Remainder Theorem (see, e.g., [Knu81, 
Sti95]), one can compute the unique solution 

c = nV" mod nin2n^ — . 

Hence, one can compute m from c by ordinary root extraction. 

More generally, suppose that k related plain texts are encrypted with the same 
exponent e: 

Cl = (aim + h\Y mod n\ 
C2 = (a2m + b'^Y mod n2 

Ck = [akm + hkY mod rifc, 

where ai and bi, 1 < i < k, are known and k > and min(ni) > 2*^ . Then, an 

attacker can solve for m in polynomial time using lattice reduction techniques. This 
observation is due to Johan Hastad [Has88], and his "broadcast attack" has been 
strengthened by Don Coppersmith [Cop97] . This attack is a concern if the messages 
are related in a known way. Padding the messages with pseudorandom strings prior 
to encryption prevents mounting this attack in practice, see, e.g., [KR95]. If the 
messages are related in a known way, they should not be encrypted with many RSA 
keys. 

A recommended value of e that is commonly used today is e = 2^^ + 1. One 
advantage of this value for e is that its binary expansion has only two ones, which 
implies that the square-and-multiply algorithm of Figure 2 requires very few oper- 
ations,^ and so is very efficient. 

Forging RSA signatures:. This attack is based on the fact that the RSA encryp- 
tion function is a homomorphism: if (n, e) is the public key and mi and m2 are 
two messages then 

ml ■ TTij = (mi • mod n. (2.10) 

Another identity that can easily be verified is: 

(m ■ r^Y = m'^ ■ r mod n. (2-11) 



*How many exactly? 
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In particular, these identities can be used to mount an attack on the digital signature 
scheme based on the RSA algorithm, see Figure 4 and Section 2.3. Given previous 
message-signature pairs (toi, sig^(mi)), . . . , (m/j, sig^(mfe)), Erich can use the con- 
gruences (2.10) and (2.11) to compute a new message-signature pair (TO,sig^(m)) 

by 

k 

m = r'^ n mod n; 

k 

sig^(TO) = rj^ (sig^(TOi))''' mod n, 

where r and the are arbitrary. Hence, Erich can forge Alice's signature without 
knowing her private key, and Bob will not detect the forgery, since m = (sig^(m))"^ 
mod n. Note that, in Equation (2.10), even if mi and m2 are meaningful plain 
texts, mi • m2 usually is not. Thus, Erich can forge Alice's signature only for 
messages that may or may not be useful. However, he might choose the messages 
rrii so as to generate a meaningful message m with a forged digital signature. This 
chosen-plain-text attack can again be avoided by pseudorandom padding techniques 
that destroy the algebraic relations between messages. Pseudorandom padding is 
also a useful countermeasure against the following chosen-cipher-text attack: Erich 
intercepts some cipher text c, chooses r G N at random, and computes c-r'^ mod n, 
which he sends to the legitimate receiver Bob. By Equation (2.11), Bob will decrypt 
the string c = c'^ ■ r mod n, which is likely to look like a random string. Erich, 
however, if he were to get his hands on c, could obtain the original message m by 
multiplying by r^^, the inverse of r modulo n, i.e., by computing m — r^^ ■ c'^ ■ r 
mod n. 

3. PROTOCOLS FOR SECRET-KEY AGREEMENT, PUBLIC-KEY ENCRYPTION, 
AND DIGITAL SIGNATURES 

Consider again a scenario where Alice and Bob want to exchange messages over an 
insecure channel such as a public telephone line, and where Erich is an eavesdropper: 




This is why Alice and Bob want to encrypt their messages. For efficiency purposes, 
they decide to use a symmetric cryptosystem in which they both possess the same 
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key for encryption and for decryptfon; recall Definition 1.1. But then, how can 
they agree on a joint secret key when they can communicate only over an insecure 
channel? If they were to send an encrypted message containing the key to be used 
in subsequent communications, which key should they use to encrypt this message? 

This paradoxical situation is known as the secret-key agreement problem, and it 
was considered to be unsolvablc since the beginning of cryptography. It was quite 
a surprise when in 1976 Whitfield Diffie and Martin Hellman [DH76] did solve 
this long-standing, seemingly paradoxical problem by proposing the first secret-key 
agreement protocol. We describe their protocol in Section 3.1. Interestingly, it was 
the DifHe-Hellman protocol that inspired Rivest, Shamir, and Adleman to invent 
the RSA system. That is, Diffie and Hellman's key idea to solve the secret-key 
agreement problem opened the door to modern public-key cryptography, which no 
longer requires sending secret keys over insecure channels. 

Strangely enough, the reverse happened in the nonpublic sector. The Com- 
munications Electronics Security Group (CESG) of the British Government Com- 
munications Head Quarters (GCHQ) claims to have invented the RSA public-key 
cryptosystem prior to Rivest, Shamir, and Adleman and the Difiie-Hellman secret- 
key agreement scheme independently of Diffie and Hellman. And they did so in 
reverse order. James Ellis first discovered the principle possibility of public-key 
cryptography in the late sixties. In 1973, Clifford Cocks developed the mathemat- 
ics necessary to realize Ellis's ideas and formulated what four years later became 
known as the RSA system. Soon thereafter, inspired by EUis's and Cocks's work, 
Malcolm Williamson invented what became known as the Diflie— Hellman secret-key 
agreement scheme, around the same time Diffie and Hellman succeeded. None of 
the results of Ellis, Cocks, and Williamson became known to the public then. The 
full story — or what of it is publicly known by now — is told in Singh's book [Sin99]. 

Section 3.2 shows how to modify the Diffie- Hellman protocol in order to obtain 
a public-key cryptosystem. This protocol is due to Taher ElGamal [E1G85]. Just 
like the Diffie-Hellman protocol, ElGamal's cryptosystem is based on the difficulty 
of computing discrete logarithms. 

Section 3.3 gives an interesting protocol due to an unpublished work of Adi 
Shamir. In this protocol, keys do not need to be agreed upon prior to exchanging 
encrypted messages. 

Another cryptographic task is the generation of digital signatures: Alice wants 
to sign her encrypted messages to Bob in a way that allows Bob to verify that Alice 
was indeed the sender of the message. Digital signature protocols arc used for the 
authentication of documents such as email messages. The goal is to preclude Erich 
from forging Alice's messages and her signature. Digital signature protocols are 
described in Section 2.3 (RSA digital signatures), in Section 3.2 (ElGamal digital 
signatures) and in Section 3.4 (Rabi and Sherman digital signatures). 

3.1 Diffie and Hellman's Secret-Key Agreement Protocol 

Figure 5 shows how the Diffie-Hcllman secret-key agreement protocol works. It is 
based on the modular exponential function with base g and modulus p, where p 
is a prime and ^ is a primitive root of p in Z*, the cyclic group of prime residues 
modulo p; recall that Z* has order ^(p) = p—1. The formal definition is as follows. 
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Step 












1 


Alice and Bob agree upon a large prime p and a primitive root g of p; 
p and t; are public 


2 


chooses a large number a at 
random, computes a = g'^ 
mod p 




chooses a large number b at 
random, computes /3 = g^ 
mod p 


3 




a 




4 


computes her key 

kA = mod p 




computes his key 

kB = mod p 



Fig. 5. The Diffie— Hellman secret-key agreement protocol. 



Definition 3.1. — For n g N, a primitive root of n is any element a G Z* satis- 
fying that, for each d with 1 < d < (pin), it holds that 

a"^ ^ 1 mod n. 

Equivalently, a primitive root of n is a generator of Z* . 

— Let p be a prime, and let g be a primitive root of p. The function a(g,p) : Zp_i — > 
Z* that is defined by 

a(3,p)(a) = .g" mod p. 

is called the modular exponential function with base g and modulus p. Its inverse 
function, which for fixed p and g maps Q;(g.p)(a) to a = log^ a mod p, is called 
the discrete logarithm. 

As noted above, every primitive root of p generates the entire group Z*. More- 
over, Z* has precisely 4>{p — 1) primitive roots. For example, Zg — {1,2,3,4} and 
Z| = {1, 3}, so (/)(4) = 2, and the two primitive roots of 5 in Zg are 2 and 3, since 

2i = 2; 22 = 4; 2^ ee 3 mod 5; 2" = 1 mod 5; 

3^ = 3; 32 = 4 mod 5; 3^ = 2 mod 5; 3"^ = 1 mod 5. 

Not every integer has a primitive root: 8 is the smallest such example. It is known 
from elementary number theory that an integer n has a primitive root if and only 
if n is 1 or 2 or 4, or is of the form q'^ or 2q'^ for some odd prime q. 
The protocol from Figure 5 works, since 

QCL ha ab /, 

KA = p ^ g — g ~ a ^ Kb- 

Thus, the keys computed by Alice and Bob indeed are the same. 

Computing discrete logarithms is considered to be a very hard problem: no 
efficient algorithms are known for solving it. In contrast, the modular exponen- 
tial function can be computed efficiently, using the fast exponentiation algorithm 
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"square-and-multiply" described as Figure 2. That is why modular exponentiation 
is considered to be a candidate for a "one-way function," i.e., a function that is easy 
to compute but hard to invert. Things arc bad. It is currently not known whether 
or not one-way functions exist. Things are worse. Although they are not known to 
exist, one-way functions play a key role in cryptography, and the security of many 
cryptosystems is based on the assumption that one-way functions do exist. We will 
discuss the notion of one-way functions in more detail in Section 5. 

If Erich is listening carefully to Alice and Bob's communication in the DifSe- 
HcUman protocol (sec Figure 5), he knows p. g, a, and (3. He wants to compute 
their joint secret key, Ua = ks- This problem is known as the Diffie-Hellman 
problem. If Erich could solve the discrete logarithm problem efficiently, he could 
easily compute a = log^ a mod p and b ~ log^ /3 mod p and, thus, fc^ = mod p 
and ks = ofi mod p. That is, the Diffie-Hellman problem is no more difficult than 
the discrete logarithm problem. The converse question — of whether the Diffie- 
Hellman problem is as hard as the discrete logarithm problem is still an unproven 
conjecture. Fortunately, as noted above, the discrete logarithm problem is viewed 
as being intractable, so this attack is very unlikely to be a practical threat. On the 
other hand, it is the only known attack for computing the keys directly from a and 
/3 in the Diffie-Hellman protocol. Note, however, that no proof of security for this 
protocol has been established up to date. 

Note also that computing the keys kA = ks directly from a and /? is not the 

only possible attack on the Diffie-Hellman protocol. For example, it is vulnerable 
to the Man-in-the-middle attack. Unlike passive attacks against the underlying 
mathematics of a cryptosystem, in which an eavesdropper tries to gain information 
without affecting the protocol, the Man-in-the-middle attack is an active attack, in 
which an eavesdropper attempts to alter the protocol to his own advantage. That is, 
Erich, as the "man in the middle," might pretend to be Alice when communicating 
with Bob, and he might pretend to be Bob when communicating with Alice. He 
could intercept a — mod p that Alice sends to Bob and he could also intercept 
(3 = g^ mod p that Bob sends to Alice, passing on his own values as in place of a 
to Bob and f3E in place of /? to Alice. That way Erich could compute two (possibly 
distinct) keys, one for communicating with Alice, the other one for communicating 
with Bob, without them having any clue that they in fact are communicating with 
him. Thus, Alice and Bob cannot be certain of the authenticity of their respective 
partners in the communication. In Section 4, we will introduce zero-knowledge 
protocols, which can be used to ensure proper authentication. 

By slightly modifying the Diffie Hellman protocol, it is possible to obtain a 
public-key cryptosystem. The variant of the Diffie-Hellman protocol presented 
here in fact is a "hybrid cryptosystem," a public-key cryptosystem making use of 
a given symmetric cryptosystem. Such hybrid systems are often useful in prac- 
tice, for they combine the advantages of asymmetric and symmetric cryptosystems. 
Symmetric systems are usually more efficient than public-key systems. 

The protocol works as follows. Alice and Bob agree on a large prime p and 
a primitive root g of p, which are public. They also agree on some symmetric 
cryptosystem S = {P,C,1C,£,'D) with encryption functions £ = {Ek \ k G K,} and 
decryption functions V = {Df. \ k G K,}. The subsequent steps of the protocol 
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Step 












1 


Alice and Bob agree upon a large prime p and a primitive root g of p; 
p and g are public 


2 






chooses a large number b at 
random as his private key and 
computes P = mod p 


3 








4 


chooses a large number a at 
random, computes a = 
mod p, the key fc = /J" mod p, 
and the cipher text c = Ey. (m) , 
where m is the message to be 
sent 






5 




a, c 




6 






computes k = a*' mod p and 
m = Dfc (c) 



Fig. 6. A public-key cryptosystem based on the Difiie— Hellman protocol, which uses the encryption 
and decryption algorithms Ef^ and of a given symmetric cryptosystem. 



are shown in Figure 6. The message to be sent is encrypted using the symmetric 
system 5, and the symmetric key k used in this encryption is transmitted in a DifSe- 
Hehman-Uke fashion. This modification of the original Diffie-Hehman protocol is 
the standard usage of Difiie-Hellman. 

The system in Figure 6 modifies the original Diffie-Hellman protocol in the fol- 
lowing way. While in the Diffie-Hellman scheme Alice and Bob simultaneously 
compute and send their "partial keys" a and (3, respectively, they do so sequen- 
tially in the protocol in Figure 6. That is, Alice must wait for Bob's value /3, his 
public key, to be able to compute the key k with which she then encrypts her mes- 
sage m via the symmetric cryptosystem S. Moreover, Bob generates, once and for 
all, his public (3 for possibly several communications with Alice, and also for pos- 
sibly several users other than Alice who might want to communicate with him. In 
contrast, Alice has to generate her a anew again and again every time she communi- 
cates with Bob, just like in the original Diffie-Hellman protocol. This modification 
of Diffie-Hellman is usually referred to as Predistributed Diffie-Hellman. In a key 
distribution scheme, one party chooses a key and then transmits it to another party 
or parties over an insecure channel. In contrast, in a secret-key agreement scheme 
such as the original Diffie-Hellman protocol from Figure 5, two or more parties 
jointly compute, by communicating over an insecure channel, a shared secret key, 
which depends on inputs from both or all parties. 
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3.2 EIGamal's Public-Key Cryptosystem and Digital Signature Protocol 

Taher ElGamal [E1G85] developed a public-key cryptosystem and a digital signature 
protocol that are based on the DifRe-Hellman protocol. In fact, the variant of DifBe- 
Hellman presented in Figure 6 is somewhat reminiscent of the original ElGamal 
public-key cryptosystem, which we will now describe. 



Step 






i 






1 


Alice and Bob agree upon a large prime p and a primitive root g of p; 
p and g are public 


2 






chooses b £ at random 
and computes f} = g^ mod p; 
b is private and fi is public 


3 








4 


picks a secret a £ at ran- 
dom, computes a = g"" mod p 
and c = 771/3" mod p, where m 
is the message to be sent 






5 




a, c 




6 






computes x = p — 1 — b and 
decrypts by computing 

m = ca^ mod p 



Fig. 7. The ElGamal public-key cryptosystem. 



Figure 7 shows EIGamal's public-key cryptosystem. After Alice and Bob have 
agreed on a prime p and a primitive root g of p, Bob picks a random value b e Z*^^ 
and computes his public key f3 = mod p. If Alice wants to send him a message 
m € Z*, she looks up /? and "disguises" m by multiplying it with /3" modulo p, 
where a S is a random number she has picked. This yields the first part c of 

the cipher text, the second part is a = mod p. She sends both c and a to Bob. 
To decrypt, Bob first computes x — p — 1 — b. Since 1 < b < p — 2, it follows that 
1 < X < p — 2. Bob then can recover the original plain text m by computing: 

ca^ = m/3'^5"(P-i-'') = „i^f"J+'i(p-i)-i& TO (gP-i)" = m mod p. 

Just as in the DifSe-Hellman protocol, the security of the ElGamal protocol is 
based on the difficulty of computing discrete logarithms. Although it is not known 
whether breaking the ElGamal protocol is as hard as solving the discrete logarithm 
problem, it can be shown that breaking the ElGamal protocol is precisely as hard 
as solving the Difhe-Hellman problem. To prevent known attacks on the ElGamal 
cryptosystem, the prime p should be chosen large enough (at least 150 digits long) 
and such that p ~ I has at least one large prime factor. 
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Step 












1 


Alice and Bob agree upon a large prime p and a primitive root g of p; 
p and g are public 


2 






chooses b and /3 = g*" mod p 
as in Fig. 7; chooses a number 
r with gcd(r, p — 1) = 1, com- 
putes p = g^ mod p and s ac- 
cording to Eq. (3.f2) and his 
signature 


3 






m,jigB(m) 




4 


verifies Bob's signature by 
checking that Eq. (3.f3) holds: 
c,™ = /jf . mod p. 







Fig. 8. The ElGamal digital signature protocol. 



ElGamal's system can be modified so as to yield a digital signature protocol. A 
particularly efficient variant of this protocol that is due to an idea of Schnorr [Sch90] 
is now the United States "Digital Signature Standard" [Nat91,Nat92]. 

The ElGamal digital signature protocol is presented in Figure 8. Suppose that 
Bob wants to send a message m to Alice. To prove that he indeed is the sender, 
he wants to sign the message in a way that Alice can verify. Let a large prime p 
and a primitive root g of p be given as in the ElGamal public-key cryptosystem, 
see Figure 7. As in that protocol, Bob chooses his private h and computes (3 = 
mod p. In addition, he now chooses a number r coprime with 1, and he computes 
p — mod p and a solution s to the congruence 

b ■ p -\- r ■ s = m mod p — I (3-12) 

using the extended algorithm of Euclid, see Figure 1 and Lemma 2.3. 

Bob keeps b and r secret, and he sends along with his message m his digital 
signature sigg{m) — {p, s) and the value f3 to Ahce. 

Alice checks the validity of the signature by verifying the congruence 

g^EE/Jf.p" mod p. (3.13) 

The protocol is correct, since by Fermat's Little Theorem (see Theorem 2.2) and 
by Equation (3.12), it holds that 

gm ^ gb-p+r-s ^f^p.ps mod p. 

Note that the public verification key, which consists of the values p, g, and f3, is 
computed just once and can be used to verify any message that is signed with p, g, 
b, and (3. However, a new value of r is chosen every time a message is signed. 
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3.3 Shamir's No-Key Protocol 



Step 












1 


Alice and Bob agree upon a large 


prime p, which is public 


2 


computes x = mod p, 
where m is the message 






3 




X 




4 






computes y = x" mod p 


5 




V 

<^ 




6 


computes z = y'^ mod p 






7 




z 




8 






computes m = z^ mod p 



Fig. 9. Shamir's no-key protocol. 



Adi Shamir proposed a cryptosystem by which Ahce and Bob can exchange 
messages that are encrypted by Ahce's and Bob's individual secret keys, yet in 
which there is no need for Ahce and Bob to previously agree on a joint secret key. 
This clever idea is described in an unpublished paper of Shamir, and it is again based 
on the modular exponentiation function and the difhculty of efficiently computing 
discrete logarithms that was useful for the DifRe-Hellman secret-key agreement 
protocol described in Section 3.1. The Shamir protocol is often called Massey- 
Omura in the literature. Both inventors were preceded by Malcolm Williamson 
from GCHQ who developed the same protocol in the nonpublic sector around 1974. 

Figure 9 shows how Shamir's no-key protocol works. In this protocol, let m be 
the message that Alice wants to send to Bob. First, Alice and Bob agree on a large 
prime p. Alice generates a pair (a, a~^) satisfying 

aa^^ = 1 mod p — 1, 

where is the inverse of a modulo p — I- Recall from Section 2.2 that, given a 
prime p and an integer a S Z*, the inverse of a modulo p — 1 can easily be 
computed. Similarly, Bob generates a pair (6, satisfying 

bb^^ = 1 mod p — 1, 

where b^^ is the inverse of b modulo p — 1. See Figure 9 for the rest of the steps. 
The protocol is correct, since for all messages m, 1 < m < p, it holds that: 

m = 771°° mod p and m = m^^ mod p. 
Hence, looking at Figure 9, we obtain 

Z^'^ EE 7/°"'^"' EE x''"''^'' EE m"^"'^^'^ = Til mod p, 
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so Step 8 of Figure 9 is correct. 

Note that modular exponentiation is used here both for encryption and decryp- 
tion. The key property for this protocol to work is that modular exponentiation is 
symmetric in the exponents, i.e., for all a and fe, it holds that 

a(g,p) (a-b) = g" '' = g'' " mod p. 

3.4 Rivest, Rabi, and Sherman's Secret-Key Agreement and Digital Signature Proto- 
cols 

Ron Rivest, Muhammad Rabi, and Alan Sherman developed secret-key agreement 

and digital signature protocols. The sccrct-key agreement protocol from Figure 10 
is attributed to Rivest and Sherman in [RS93,RS97]. The digital signature protocol 
from Figure 11 is due to Rabi and Sherman [RS93,RS97]. 

Here is a brief, intuitive explanation of how these protocols work. The key 
building block of both protocols is a total, strongly noninvertible, associative one- 
way function. As mentioned earlier, one-way functions are theoretical constructs 
not known to exist. However, there are plausible assumptions under which one-way 
functions of various types can be constructed. In Section 5, under a quite plausible 
complexity-theoretic assumption, we will see how to construct a concrete candidate 
for a total, strongly noninvertible, associative one-way function. For now, assume 
that a is such a function. That is, cr is a total two-ary (i.e., two-argument) function 
mapping pairs of positive integers to positive integers such that: 

— a is associative, i.e., the equation a{x, a{y, z)) = a{a{x, y), z) holds for all x,y,z G 
N. 

— a is strongly noninvertible, i.e., a is hard to invert even if in addition to the 
function value one of the arguments is given. 

Look at Rivest and Sherman's secret-key agreement protocol in Figure 10. Since 
a is associative, we have: 

kA = (t{x, (j{y, z)) = a{a{x, y),z) = kB, 

and thus the keys computed by Alice and Bob indeed arc the same. On the other 
hand, if Erich was listening carefully, he knows not only two function values, a{x, y) 
and a{y,z), but he also knows y, the first argument of a{y,z) and the second 
argument of a{x,y). That is why a must be strongly noninvertible, in order to 
prevent the direct attack that Erich computes Alice's secret number x from a{x, y) 
and y or Bob's secret number z from (j{y, z) and y, in which case he could easily 
obtain their joint secret key, Ua = ks- Analogous comments apply to Rabi and 
Sherman's digital signature protocol presented in Figure 11. 

3.5 Discussion of Diffie-Hellman versus Rivest-Sherman 

While the secret-key agreement protocol of Diffie and Hellman [DH76] is widely 
used in practice, that of Rivest and Sherman (see [RS93,RS97]) is not (yet) used 
in applications and, thus, might appear somewhat exotic at first glance. Note, 
however, that neither the Diffie-Hellman nor the Rivest-Sherman protocol has a 
proof of security up to date. So, let us digress for a moment to compare the state 
of the art on these two protocols. 
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Step 


Alice 




mm 






1 


chooses two large numbers x 
and y at random, keeps x se- 
cret, and computes a(x, y) 






2 




y,a^y) 




3 






chooses a large number z at 
random, keeps z secret and 
computes cr{y, z) 


4 








5 


computes her key 

kA = cr{x, u{y, z)) 




computes his key 

fcs = o-{a(x, y), z) 



Fig. 10. The Rivest— Sherman secret-key agreement protocol, which uses a strongly noninvortible, 
associative one-way function a. 



Step 








1 


chooses two large numbers 
xa and yA at random, keeps 
xa secret, and computes 






2 




yA, g-(a:^A, Va) 




3 


computes her signature 

sig^(m) = a{m,XA) 
for the message m 










4 




m, sig^{m) 




5 






verifies Alice's 
ture by checking 
a{m, cr{xA,yA)) 
a(a(m,XA),yA) 


signa- 
whether 
equals 



Fig. 11. The Rabi-Sherman digital signature protocol, which uses a strongly noninvertible, asso- 
ciative one-way function a. 
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— While the Diffie-HeUman protocol uses a concrete function, the Rivest-Sherman 
protocol is based on an unspecified, "abstract" function that is described only by 
listing the properties it should satisfy. That is not to say that Rivcst-Shcrman 
is an abstract version of Diffie-HeUman. Rather, the Rivest-Sherman protocol 
may be seen as an alternative to the Diffie-Hellman protocol. The advantage of 
Rivest and Sherman's approach is that it is more flexible, as it does not depend 
on a single function. 

— The security of the Difiie-Hellman scheme is based on the (unproven, yet plau- 
sible) assumption that computing discrete logarithms is a computationally in- 
tractable task. 

In contrast, the Rivest-Sherman scheme uses a candidate for a strongly nonin- 
vcrtiblc, associative one-way function (sec Section 5.1 for the formal definition) 
as its key building block. Although it is not known whether such functions exist, 
it has been shown recently by Hemaspaandra and this author [HR99] that they 
do exist in the worst-case model under the (unproven, yet plausible) assumption 
that P ^ NP, where P denotes the class of polynomial-time solvable problems, 
and NP denotes the class of problems that can be solved nondeterministically in 
polynomial time. Section 5 presents this result and a sketch of its proof. 
— Breaking Diffie-Hellman is not even known to be as hard as computing discrete 
logarithms, even though some nice progress in this direction has been made 
recently by Maurer and Wolf [MW99], who established conditions for relating 
the hardness of breaking Diffie-Hellman to that of computing discrete logarithms. 
Again, their results rest on unproven, yet plausible assumptions. In particular, 
let iy{p) denote the minimum, taken over all numbers d in the interval [p— 1^Jp-\- 
1, p-(-2y^+ 1], of the largest prime factors of d. The "smootheness assumption" 
says that v{p) is polynomial in logp. Why is this assumption plausible? The 
idea is that numbers in the Hasse-Weil interval (which are sizes of elliptic curves) 
are smooth with the same probability as random numbers of the same length, 
and these probabilities are independent. Under this smoothness assumption, 
Maurer and Wolf [MW99] proved that breaking Difhc Hcllnian and computing 
the discrete logarithm are polynomial-time equivalent tasks in the underlying 
cyclic group, where the equivalence is nonuniform. 

Similarly, even if strongly noninvcrtiblc, associative one-way functions were 
known to exist, one could not conclude that the Rivest-Sherman protocol is 
secure; rather, strong noninvertibility merely precludes certain types of direct at- 
tacks [RS97,HR99]. Moreover, strongly ncminvertible, associative one-way func- 
tions could be constructed so far only in the worst-case complexity model, as- 
suming P 7^ NP. Although this result is relevant and interesting in a complexity- 
theoretic setting, it has no direct implications in applied cryptography. For cryp- 
tographic applications, one would need to construct such functions based on the 
average-case complexity model, under plausible assumptions. 

As noted in the outline of the tutorial, there is some hope for obtaining such a 
strong result by combining Hemaspaandra and Rothe's [HR99] technique on con- 
structing strongly noninvertible, associative one-way functions in the worst case 
with Ajtai's [Ajt96] techniques on constructing hard instances of lattice problems. 
The shortest lattice vector problem, denoted by SVP, is the problem of finding a 
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shortest lattice vector in the lattice generated by a given lattice basis. Roughly 
speaking, Ajtai [Ajt96] proved that the problem SVP is as hard in the average-case 
as it is in the worst-case complexity model. 

More precisely, Ajtai constructed an infinite family {A„}„>i of lattices, where 
each A„ is represented by a basis as an instance of SVP, and he showed the following 
result: Suppose one can compute in polynomial time, for each n, an approximately 
shortest vector in a lattice Aj randomly chosen from {A„}„>i, with non-negligible 
probability. Then, the length of a shortest vector in every lattice from {A„}„>i can 
be estimated to within a fixed polynomial factor in polynomial time with probability 
close to one. However, since the best approximation factor known to be achieved by 
polynomial-time algorithms is essentially exponential, and since the best algorithms 
known to achieve polynomial-factor approximations run in exponential time, it 
follows that, as mentioned above, "SVP is as hard in the average-case as it is in 
the worst-case model." In this regard, the SVP is a unique problem; for no other 
problem in NP that is believed to be outside P such a strong connection is known 
to hold. 

Based on the worst-case/average-case equivalence of SVP, Ajtai and 
Dwork [AD97] designed a public-key cryptosystem whose cryptographic security 
depends only on worst-case complexity assumptions. However, the worst-case hard- 
ness of SVP (in the Euclidean norm) had remained an open problem for a long time. 
Solving this problem, Ajtai [Ajt98] established the NP-hardness of SVP under ran- 
domized reductions. His result was strengthened by Micciancio [MicOl], who also 
simplified Ajtai's proof. Since the construction of strongly noninvertible, associative 
one-way functions in [HR99] is based on the assumption P ^ NP, it seems reason- 
able to consider the NP-hard problem SVP to be a good candidate for achieving 
strongly noninvertible, associative one-way functions even in the technically more 
demanding average-case model. 

The complexity of SVP and the use of lattices in crytography arc covered 
in the surveys by Cai [Cai99], Kumar and Sivakumar [KSOl], and Nguyen and 
Stern [NSOl]. Interestingly, lattices are useful both in breaking existing cryp- 
tosystems like RSA (e.g., the low-exponent attacks of Hastad [Has88] and Cop- 
persmith [Cop97]), see Section 2.4) and in designing secure cryptosystems (e.g., the 
Ajtai-Dwork public- ley cryptosystem). 



4. INTERACTIVE PROOF SYSTEMS AND ZERO-KNOWLEDGE PROTOCOLS 

In Sedition 3.1, we mentioned the Man- in-the- middle attack on the Diffie-Hellman 
secret-key agreement protocol. Imagine that Bob has just agreed with his partner 
on a joint secret key via a public telephone line. Of course, he assumes it was Alice 
he was talking to. Bob was so clever to use the Diffie-Hellman protocol, and so he 



ACM Journal Name, Vol. V, No. N, Month 20YY. 



34 • Jorg Rothe 

thinks that Erich does not have a clue about what secret key they have chosen: 

??? 




Erich 




But Erich was even smarter. Here is what reahy happened: 




Erich 




This situation raises the issue of authentication: How can Bob be certain that 
it in fact was Ahce he was communicating with, and not Erich pretending to be 
Ahce? In other words, how can Ahce prove her identity to Bob beyond any doubt? 

In Section 3, we have seen how to use digital signatures for the authentication of 
documents such as email messages. In this section, our goal is to achieve authen- 
tication of an individual rather than a document. One way to achieve this goal is 
to assign to Alice's identity some secret information such as her PIN ("Personal 
/dentifaction iV umber") or any other private information that nobody else knows. 
We refer to the information proving Alice's identity as Alice's secret. 

But here's another catch. Alice would like to convince Bob of her identity by 
proving that she knows her secret. Ideally, however, she should not disclose her 
secret because then it wouldn't be a secret anymore: If Bob, for example, knew 
Alice's secret, he could pretend to be Alice when communicating with somebody 
else. So the question is: 

How can one prove the knowledge of a secret without telling the secret? 

That is precisely what zero-knowledge protocols are all about. 

4.1 Interactive Proof Systems 

Zero-knowledge protocols are a special form of interactive proof systems, which we 
will describe first. Interactive proof systems were introduced by Shaft Goldwasser, 
Silvio Micah, and Charles Rackoff [GMR85,GMR89]. Independently, Babai and 
Moran [BM88,Bab85] developed the essentially equivalent notion of Arthur-Merlin 
games. 



ACM Journal Name, Vol. V, No. N, Month 20YY. 



Some Facets of Complexity Theory and Cryptography 



35 



As in the previous protocols, we consider the communication between two parties, 
the "prover" Ahce and the "verifier" Bob: 



For now, we are not interested in the security aspects that may arise when the 
communication is eavesdropped; rather, we are concerned with the following com- 
munication problem: Alice and Bob want to jointly solve a given problem L, i.e., 
they want to decide whether or not any given instance belongs to L. For concrete- 
ness, consider the graph isomorphism problem. 

Definition 4.1. The vertex set of any graph G is denoted by V{G), and the edge 
set of G is denoted by E{G). Let G and H be undirected, simple graphs, i.e., 
graphs with no reflexive or multiple edges. 



An isomorphism between G and _ff is a bijective mapping tt from V{G) onto 
V{H) such that, for all i,j e V{G), 



Graph-Isomorphism denotes the set of all pairs of isomorphic graphs. 

The graph isomorphism problem is to determine whether or not any two given 
graphs are isomorphic. This problem belongs to NP, and since there is no efficient 
algorithm known for solving it, it is widely considered to be a hard, intractable 
problem. However, it is not known to be complete for NP, i.e., it is not known 
whether this problem belongs to the hardest NP problems. In fact, due to its "low- 
ness" properties, it is doubted that the graph isomorphism problem is NP-complete. 
A set A is low for a complexity class C if it does not yield any additional compu- 
tational power when used as an oracle by the machines representing the class C, 
i.e., if ~ C. Schoning [Sch87] showed that Graph-Isomorphism is in the second 
level of the low hierarchy within NP, i.e., it is low for NP^^, the second level of 
the polynomial hierarchy. It follows that if Graph-Isomorphism were NP-complete 
then the polynomial hierarchy would collapse, which is considered unlikely. More- 
over, Kobler ct al. [KST92] proved Graph-Isomorphism low for PP, probabilistic 
polynomial time. 

Therefore, it is conjectured that the graph isomorphism problem might be neither 
in P nor NP-complete, and this is what makes this problem so interesting for 
complexity theoreticians. Of course, proving this conjecture would immediately 
prove P different from NP; so, such a proof seems beyond current techniques. For 
more complexity-theoretic background on the graph isomorphism problem, we refer 
to the book by Kobler, Schoning, and Toran [KST93]. 

We mention in passing that (language versions of) the factoring problem and the 
discrete logarithm problem are not known to be NP-complete either. Unlike the 
graph isomorphism problem, however, no lowness properties are known for these 
two problems. GroUmann and Sclman [GS88] have shown that a language version 



Prover 



Verifier 




{i,j}eE{G) 



Mi),TT{j)} e E{H). 
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of the discrete logarithm problem is contained in UP, which denotes Valiant's class 
"unambiguous polynomial time" [Val76]. NP-complete problems are very unlikely 
to belong to UP; so this result gives some evidence against the NP-completeness of 
the discrete logarithm problem. 

Returning to Alice and Bob's communication problem, their task is to decide 
whether or not any given pair (G, H) of graphs is isomorphic. Alice, the prover, 
tries to prove them isomorphic by providing Bob with an isomorphism tt between G 
and H. She intends to convince Bob no matter whether or not G and H in fact are 
isomorphic. But Bob is impatient. To accept the input, he wants to be convinced 
with overwhelming probability that the proof provided by Alice indeed is correct. 
Even worse, he is convinced only if every potential prover strategy Alice might come 
up with yields an overwhelming success probability. If Alice can accomplish this 
then Bob accepts the input, otherwise he rejects it. 

To formalize this intuition, imagine Alice and Bob to be Turing machines. Al- 
ice, the prover, is an all-powerful Turing machine with no computational limitation 
whatsoever. Bob, the verifier, is a randomized Turing machine working in poly- 
nomial time, but capable of making random moves by flipping an unbiased coin. 
In Definition 4.2 below, in case of acceptance, it is enough that Alice finds one 
sufficient strategy to convince Bob. In case of rejection, however, rather than con- 
sidering every potential prover strategy of Alice, it is useful to quantify over all 
possible provers that may replace Alice. 

For the definition of randomized Turing machines, we refer to any textbook on 
complexity theory such as [BDG95,BC93,HO02,Pap94,Pap94]. Essentially, every 
nondeterministic Turing machine can be viewed as a randomized Turing machine 
by defining a suitable probability measure on the computation trees of the machine. 

Definition 4.2 Interactive Proof System. [GMR85,GMR89] 

(1) An interactive proof system (or "/P protocol") iA,B) is a protocol between 
Alice, the prover, and Bob, the verifier. Alice runs a Turing machine A with 
no limit on its resources, while Bob runs a polynomial-time randomized Turing 
machine B. Both access the same input on a joint input tape, and they are 
equipped with private work tapes for internal computations. They also share a 
read-write communication tape to exchange messages. Alice docs not sec Bob's 
random choices. Let Pt{{A, B)(x) = 1) denote the probability (according to 
the random choices made in the communication) that Bob accepts the input x; 
i.e., for a particular sequence of random bits, "(A, B){x) — 1" denotes the event 
that Bob is convinced by Alice's proof for x and accepts. 

(2) An interactive proof system {A, B) accepts a set L if and only if for each x: 

xGL ^ {3A) [Pr((A B){x) = 1) > ^]; (4.14) 

x^L ^ (VA)[Pr((AB)(x) = l)< i], (4.15) 

where in (4.14) we quantify over the prover strategies (or "proofs") for x of the 
prescribed Turing machine A, whereas in (4.15) we quantify over the proofs A 
for X of any prover (i.e., any Turing machine of unlimited computational power) 
that may replace the fixed Turing machine A. 
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(3) IP denotes the class of all sets that can be accepted by an interactive proof 
system. 

Note that the acceptance probabilities of at least j if x G L (respectively, of at 
most J if X ^ L) arc chosen at will. By probability amplification tcc:lmiqucs [Pap94, 
BDG95,BC93], one can use any constants ^ + e and | — e, respectively, where e > 0. 
It is even possible to make the error probability as small as 2~p(I^I\ for any fixed 
polynomial p. Better yet, Goldreich, Mansour, and Sipser [GMS87] have shown 
that one can even require the acceptance probability of exactly 1 if x £ L, without 
changing the class IP. 

In the literature, verifier and prover are sometimes referred to as Arthur and 
Merlin. In fact, the Arthur-Merlin games introduced by Babai and Moran [BM88, 
Bab85] are nothing else than the interactive proof systems of Goldwasser et 
al. [GMR85,GMR89]. One difference between Definition 4.2 and the definition 
of Arthur-Merlin games is that the random bits chosen by Arthur are public (i.e., 
they are known to Merlin), while they are private to Bob in Definition 4.2. How- 
ever, Goldwasser and Sipser [GS89] have shown that the privacy of the verifier's 
random bits does not matter: Arthur-Merlin games are equivalent to interactive 
proof systems. 

What if Bob has run out of coins? That is, what if he behaves deterministically 
when verifying Alice's proof for "x € L"? Due to her unlimited computational 
power, Alice can provide proofs of unlimited length, i.e., of length not bounded by 
any function in the length of x. However, since Bob is a polynomial-time Turing 
machine, it is clear that he can check only proofs of length polynomially in |a;|. It 
follows that IP, when restricted to deterministic polynomial-time verifiers, is just a 
cumbersome way of defining the class NP. Hence, since Graph-Isomorphism belongs 
to NP, it must also belong to the (unrestricted) class IP. We omit presenting an 
explicit IP protocol for Graph-Isomorphism here, but we refer to Section 4.3, where 
in Figure 13 an IP protocol for Graph-Isomorphism with an additional property is 
given: it is a zero-knowledge protocol. 

But what about the complement of Graph-Isomorphism? Does there exist an 
interactive proof system that decides whether or not two given graphs are non- 
isomorphic? Note that even though Alice is all-powerful computationally, she may 
run into difficulties when she is trying to prove that the graphs are non-isomorphic. 
Consider, for example, two non-isomorphic graphs with 1000 vertices each. A proof 
of that fact seems to require Alice to show that none of the 1000! possible permu- 
tations is an isomorphism between the graphs. Not only would it be impossible for 
Bob to check such a long proof in polynomial time, also for Alice it would be liter- 
ally impossible to write this proof down. After all, 1000! is approximately 4 • 10^^^''. 
This number exceeds the number of atoms in the entire visible universe,^ which is 
currently estimated to be around 10^^, by a truly astronomical factor. 

That is why the following result of Goldreich, Micali, and Wigderson [GMW86, 
GMW91] was a bit of a surprise. 

Theorem 4.3. [GMW86,GMW91] Graph-Isomorphism is in IP. 



^Dajrk matter excluded. 
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Proof. Figure 12 shows the interactive proof system for the graph non- 
isomorphism problem. 



Step 




111 






Input: Two graphs Gi and G2 


1 






randomly chooses a permuta- 
tion TT on V{Gi) and a bit 
b 6 {1, 2}, and computes H = 

n{Gt) 


2 




H 
<^ 




3 


determines a G {1, 2} such that 
Ga and H are isomorphic 






4 




a 




5 






accepts if and only if a = fe 



Fig. 12. The Goldreich-Micali-Wigderson IP protocol for Graph-Isomorphism. 



Let US check that the implications (4.14) and (4.15) from Definition 4.2 do hold. 
Suppose that Gi and G2 are non-isomorphic. Then, it is easy for Alice to determine 
that graph Gb, 6 € {1, 2}, to which H is isomorphic. So she sends a — b, and Bob 
accepts with probability 1. That is, 

(Gi,G2) e Graph-Isomorphism => (3A) [Pr((A, S)(Gi, G2) = 1) = 1]. 

Now suppose that Gi and G2 are isomorphic. Then, no matter what clever 
strategy Alice applies, her chance of answering correctly (i.e., with a = b) is no 
better than i because she does not see Bob's random bit b and so can do no better 
than guessing. That is, 

(Gi, G2) ^ Graph-Isomorphism =^ (Vl) [Pr((l, B)(Gi, G2) = 1) < 

Note that the acceptance probability of < ^ above is not yet the acceptance prob- 
ability of < I required in (4.15) of Definition 4.2. However, as mentioned above, 
standard probability amplification techniques yield an error probability as close to 
zero as one desires. We leave the details to the reader. | 

By definition, IP contains all of NP. The above result shows that IP also contains 
a problem from coNP, the class of complements of NP problems, which is unlikely 
to be contained in NP. So, the question arises of how big the class IP actually is. 
A famous result of Adi Shamir [Sha92] settled this question: IP equals PSPACE, 
the class of problems that can be decided in polynomial space. 
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4.2 Zero-Knowledge Protocols 

Recalling the issue of authentication mentioned at the beginning of this section, we 
are now ready to define zero-knowledge protocols. 

As mentioned above, Graph-Isomorphism is in IP. To prove that the two given 
graphs are isomorphic, Alice simply sends an isomorphism tt to Bob, which he 
then checks deterministically in polynomial time. Suppose, however, that Alice 
wants to keep the isomorphism tt secret. On the one hand, she does not want to 
disclose her secret; on the other hand, she wants to prove to Bob that she knows it. 
What she needs is a very special IP protocol that conveys nothing about her secret 
isomorphism, and yet proves that the graphs are isomorphic. The next section will 
present such a zero-knowledge protocol for Graph-Isomorphism. 

But what is a zero-knowledge protocol and how can one formalize it? The in- 
tuition is this. Imagine that Alice has a twin sister named Malice who looks just 
like her. However, Malice does not know Alice's secret. Moreover, Malice does not 
have Alice's unlimited computational power; rather, just as the verifier Bob, she 
only operates like a randomized polynomial-time Turing machine. Still, she tries to 
simulate Alice's communication with Bob. An IP protocol has the zero-knowledge 
property if the information communicated in Malice's simulated protocol cannot 
be distinguished from the information communicated in Alice's original protocol. 
Malice, not knowing the secret, cannot put any information about the secret into 
her simulated protocol, and yet she is able to generate that clone of the original 
protocol that looks just like the original to an independent observer. Consequently, 
the verifier Bob (or any other party such as Erich) cannot extract any informa- 
tion from the original protocol. In short, if there's nothing in there, you can't get 
anything out of it. 

Definition 4.4 Zero-Knowledge Protocols. [GMR85,GMR89] Let {A,B) be an 
interactive proof system accepting a problem L. We say {A, B) is a zero-knowledge 
protocol for L if and only if there exists a simulator Malice such that the following 
holds: 

— Malice runs a randomized polynomial-time Turing machine M to simulate the 
prover Alice in her communication with Bob, thus yielding a simulated protocol 

{M,B)- 

— for each x G L, the tuples (ai, a2, . . . , Uk) and (mi, m2, . . . , nik) representing the 
communication in {A,B) and in {M,B), respectively, are identically distributed 
over the coin tosses of A and B in (^4, B) and of M and B in (M, B), respectively. 

The above definition is called "honest-verifier perfect zero-knowledge" in the 
literature. That is, (a) one assumes that the verifier is honest, and (b) one requires 
that the information communicated in the simulated protocol perfectly coincides 
with the information communicated in the original protocol. 

Assumption (a) is not quite realistic for most cryptographic applications. A 
dishonest verifier might alter the protocol to his own advantage. Therefore, one 
should modify the definition above to require that for each verifier B* there exists a 
simulator M* generating a simulated protocol not distinguishable from the original 
one. However, honest-verifier zero-knowledge protocols with public random bits 
can always be transformed to protocols that have the zero-knowledge property also 
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in the presence of dishonest verifiers. 

Regarding assumption (b), there are several other notions of zero- knowledge 
that arc weaker than perfect zcro-knowIcdgc, such as "statistical zero-knowledge" 
and "computational zero-knowledge." In a statistical zero-knowledge protocol (also 
known as almost-perfect zero-knowledge protocol), one requires that the information 
communicated in the original and in the simulated protocol be indistinguishable by 
certain statistical tests. In a computational zero-knowledge protocol, one merely re- 
quires that the information communicated in the original and in the simulated pro- 
tocol be computationally indistinguishable, i.e., for each randomized polynomial- 
time Turing machine, the probability of detecting differences in the corresponding 
distributions is negligibly small. 

In the latter model, Goldreich, Micah, and Wigderson [GMW86,GMW91] showed 
what is considered by far the most important result on zero-knowledge: Every prob- 
lem in NP has a computational zero- knowledge protocol under the plausible assump- 
tion that there exist cryptographically secure bit-commitment schemes. The key 
idea is a computational zero-knowledge protocol for Graph-Three-Colorability, a 
well-known NP-complete problem. In contrast, it seems unlikely [BC89] that such 
a strong claim can be proven for the perfect zero-knowledge model presented in 
Definition 4.4. 

For more information about interactive proof systems and zero-knowledge, we 
refer to the books by Goldreich [GolOlb, Chapter 4], Kobler et al. [KST93, Chap- 
ter 2], Papadimitriou [Pap94, Chapter 12.2], Balcazar et al. [BDG90, Chapter 11], 
and Bovet et al. [BC93, Chapter 10] and to the surveys by Oded Goldreich [G0I88], 
Shafi Goldwasser [Gol89], and Joan Feigenbaum [Fei92]. 

4.3 Zero-Knowledge Protocol for the Graph Isomorphism Problem 

Oded Goldreich, Silvio Micah, and Avi Wigderson [GMW86,GMW91] proposed a 
zero-knowledge protocol for the graph isomorphism problem. This result was quite 
a surprise, since previously zcro-knowlcdgc protocols were known only for problems 
contained both in NP and coNP. It is considered to be unlikely that NP c^quals 
coNP; in particular, it is considered to be unlikely that Graph-Isomorphism is in 
coNP. 

Theorem 4.5. [GMW86,GMW91] Graph-Isomorphism has a zero-knowledge 
protocol. 

Proof. Figure 13 shows the Goldreich-Micali- Wigderson protocol. One differ- 
ence to the protocol for the graph non-isomorphism problem in Figure 12 is that 
now Alice too makes random choices. 

Alice's secret is the isomorphism tt she has chosen. The protocol is correct, since 
Alice knows her secret tt and also her random permutation p. Hence, she can easily 
compute the isomorphism a with (t(G;,) = H to prove her identity to Bob. When 
doing so, she does not have to disclose her secret n to Bob in order to convince him 
of her identity. In particular, 

(Gi,G2) e Graph-Isomorphism =J> {3A) [Pr((A, B)(Gi, G2) = 1) = 1], 

so the implication (4.14) from Definition 4.2 holds. Since Alice herself has cho- 
sen two isomorphic graphs, the case (Gi,G2) ^ Graph-Isomorphism does not oc- 
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cur, so the implication (4.15) from Definition 4.2 trivially holds if the protocol 
is implemented properly. Thus, the protocol is an interactive proof system for 
Graph-Isomorphism. 

Recall that Alice wants to prove her identity via this protocol. Suppose that Erich 
or Malice want to cheat by pretending to be Alice. They do not know her secret 
isomorphism tt, but they do know the public isomorphic graphs Gi and G2. They 
want to convince Bob that they know Alice's secret, which corresponds to (Gi, G2). 
If, by coincidence, Bob's bit b equals their previously chosen bit a, they win. How- 
ever, if 6 ^ a, computing a = poTTora = po tt~^ requires knowledge of tt. 
Without knowing tt, computing tt from the public graphs Gi and G2 seems to be 
impossible for them, since Graph-Isomorphism is a hard problem, too hard even for 
randomized polynomial-time Turing machines. Thus, they will fail provided that 
the graphs are chosen large enough. 



Step 




f 






Generation of isomorphic graphs and a secret isomorphism 


1 


chooses a large graph Gi, a 
random permutation tt on Gi 's 
vertices, and computes the 
graph G2 = t(Gi); 
(Gi,G2) are pubhc, tt is pri- 
vate 








Protocol 


2 


randomly chooses a permuta- 
tion p on V{Gi) and a bit a £ 
{1,2}, computes H = p{Ga) 






3 




H 




4 






chooses a bit b £ {1, 2} at ran- 
dom and wants to see an iso- 
morphism between Gj, and H 


5 




b 

<^ 




6 


computes the permutation 

( p if 6 = a 
(7=1 p n ifl = 6^a = 2 
[ poTT-i if2 = 6^a = l 

satisfying cr{Gi,) = H 






7 




a 




8 






verifies that indeed 

a{Gt) = H 
and accepts accordingly 



Fig. 13. The Goldreich-Micali-Wigderson zero-knowledge protocol for graph isomorphism. 
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Since they cannot do better than guessing the bit b, they can cheat with prob- 
abihty at most i. Of course, they can always guess the bit 6, which imphes that 
their chance of cheating successfully is exactly 5. Hence, if Bob demands, say, k 
independent rounds of the protocol to be executed, he can make the cheating prob- 
ability as small as 2^^^, and thus is very likely to detect any cheater. Note that 
after only 20 rounds the odds of malicious Malice getting away with it undetected 
are less than one to one million. Hence, the protocol is correct. 
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Simulated generation of isomorphic graphs 
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knows the public pair (Gi, G2) 
of isomorphic graphs, does not 
know Alice's secret tt 
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lib ^ a then M deletes all mes- 
sages transmitted in this round 
and repeats; 

if 6 = a then M sends a = p 
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a 




8 






b = a implies that indeed 

a(Gi) = H, 

so Bob accepts "Alice's" iden- 
tity 



Fig. 14. How to simulate the Goldreich-Micali-Wigderson protocol without knowing the secret vr. 



It remains to show that the protocol in Figure 13 is zero-knowledge. Figure 14 
shows a simulated protocol with Malice, who does not know the secret tt, replacing 
Alice. The information communicated in one round of the protocol is given by 
a triple of the form {H,b,a). Whenever Malice chooses a bit a with a — b, she 
simply sends a — p and wins: Bob, or any independent observer, will not detect 
that she in fact is Malice. Otherwise, whenever a ^ b, Malice fails. However, that's 
no problem at all: She simply deletes this round from the simulated protocol and 
repeats. Thus, she can produce a sequence of triples of the form {H, b, a) that is 
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indistinguishable from the corresponding sequence of triples in the original protocol 
between Alice and Bob. It follows that the Goldreich-Micali-Wigderson protocol is 
zero-knowledge. | 

4.4 Fiat and Shamir's Zero-Knowledge Protocol 

Based on a similar protocol by Goldwasser, Micali and RackofF [GMR89], Amos Fiat 
and Adi Shamir [FS86] proposed a zero-knowledge protocol for a number-theoretical 
problem. It is based on the assumption that computing square roots in Z* is 
infcasible in practice. Due to its properties, the Fiat-Shamir protocol is particularly 
suitable for authentication of individuals in large computer networks. It is a public- 
key protocol, it is more efficient than other public-key protocols such as the RSA 
algorithm, it can be implemented on a chip card, and it is zcro-knowlcdgc. These 
advantages resulted in a rapid deployment of the protocol in practical applications. 
The Fiat-Shamir protocol is integrated in the "Vidoocrypt" Pay- TV system [CHOI]. 
The original Fiat-Shamir identification scheme has later been improved by Fcige, 
Fiat und Shamir [FFS88] to a zero-knowledge protocol in which not only the secret 
square roots modulo n are not revealed, but also the information of whether or not 
there exists a square root modulo n is not leaked. 

The theory of zero-knowledge may also become important in future internet 
technologies. To prevent confusion, we note that Zero-Knowledge Systems, Inc., 
a Montreal-based company that was founded in 1997 and provides products and 
services enabling users to protect their privacy on-line on the world wide web, is 
not a commercial fielding of zero-knowledge protocols [GolOla]. 

Theorem 4.6. [FS86] The Fiat- Shamir procedure given in Figure 15 is a zero- 
knowledge protocol. 

Proof. Look at Figure 15. The protocol is correct, since Alice knows the secret 
s e Z* that she has chosen, and thus she can compute y = r ■ s^, where b is the bit 
that Bob has chosen at random. Hence, it holds in Z* that 

y2 = (r . s'')2 = r^ ■s'"' = r^ ■v'' = x-v'' mod n, 

so Bob accepts Alice's identity. 

Suppose now that Erich or Malice want to cheat by pretending to be Alice. They 
do not know her secret s, nor do they know the primes p and q, but they do know 
the public n = pq and v = s'^ mod n. They want to convince Bob that they know 
Alice's secret s, the square root of v modulo n. If, by coincidence, Bob's bit b 
equals zero then y = r ■ s° = r and they win. However, if 6 = 1, computing a 
y that satisfies y"^ = x ■ mod n requires knowledge of the secret ,s, assuming 
that computing square roots modulo n is hard. Without knowing s, if Malice or 
Erich were able to compute the correct answer for both 6 = and 6=1, say yj, 
with y'^ = X ■ mod n, they could efficiently compute square roots modulo n as 
follows: j/q = X mod n and y\ = x ■ v mod n implies (|^)^ = v mod n; hence, ^ 
is a square root of v modulo n. 

It follows that they can cheat with probability at most i. Of course, they can 
always guess the bit b in advance and prepare the answer accordingly. Choosing 
X = r'^ ■ mod n and y = r implies that 

y'^ = r"^ = r'^ ■ v~'' ■ v'' = X ■ mod n. (4.16) 
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verifies that indeed 

= X ■ mod n 
and accepts accordingly 



Fig. 15. The Fiat-Shamir zcro-knowlcdgc protocol. 



Thus, Bob will not detect any irregularities and will accept. Hence, their chance to 
cheat successfully is exactly ^. Again, if Bob demands, say, k independent rounds 
of the protocol to be executed, he can make the cheating probability as small as 
desired and is very likely to detect any cheater. 

It remains to show that the Fiat-Shamir protocol in Figure 15 is zero-knowledge. 
Figure 16 shows a simulated protocol with Malice, who does not know the secret s, 
replacing Alice. The information communicated in one round of the protocol is 
given by a triple of the form {x, b, y). In addition to the randomly chosen r e Z* , 
Malice guesses a bit c € {0, 1} and computes x = ■ v~'^ mod n, which she sends 
to Bob. Whenever c happens to be equal to Bob's bit 6, Malice simply sends y = r 
and wins. By an argument analogous to Equation (4.16) above, neither Bob nor 
any independent observer will detect that she actually is Malice: 

= = • w^*^ ■ = x ■ mod n. 

Otherwise, whenever c ^ b, Malice fails. However, that's no problem at all: She 
simply deletes this round from the simulated protocol and repeats. Thus, she can 
produce a sequence of triples of the form (a;, 6, y) that is indistinguishable from the 
corresponding sequence of triples in the original protocol between Alice and Bob. 
It follows that the Fiat-Shamir protocol is zero-knowledge. | 

We have chosen to give here the original Fiat-Shamir identification scheme as 
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Simulated key generation 


1 


knows the public n = pq and 
V = mod ra; 

does not know the private 
primes p and q and Alice's se- 
cret s 








Simulated Protocol 


2 


randomly chooses r g Z* and 

a bit c G {0, 1}, 

computes a; = ■ mod n 






3 




X 




4 






chooses a bit b £ {0, 1} at ran- 
dom 


5 




b 

<^ 




6 


if b 7^ c then M deletes all mes- 
sages transmitted in this round 
and repeats; 

if b = c then M sends y = r 






7 








8 






b = c implies that indeed 

y'^ = r'^ = r'^v~'^v^ 

= X ■ mod n, 

so Bob accepts "Alice's" iden- 
tity 



Fig. 16. How to simulate the Fiat-Shamir protocol without knowing the secret s. 



presented in most books (see, e.g., [Gol01b,BSW01]). Note, however, that quite a 
number of modifications and improvements of the Fiat-Shamir protocol have been 
proposed, including the "zero-knowledge proof of knowledge" protocol of Feige, 
Fiat und Shamir [FFS88]. We also note in passing that we omitted many formal 
details in our arguments in this section. A rigid formalism (see [GolOlb]) is helpful in 
discussing many subtleties that can arise in zero-knowledge protocols. For example, 
looking at Figure 15, Alice could be impersonated by anyone who picks the value 
r = without Bob detecting this fraud. We refer to Burmester and Desmedt [BD89] 
for appropriate modifications of the scheme. Moreover, Burmester et al. [BDPW89, 
BDB92] proposed efficient zero-knowledge protocols in a general algebraic setting. 

5. STRONGLY NONINVERTIBLE ASSOCIATIVE ONE-WAY FUNCTIONS 

Recall Rivest and Sherman's secret-key agreement protocol (Figure 10) and Rabi 
and Sherman's digital signature protocol (Figure 11) presented in Section 3.4. Both 
of these protocols use a candidate for a strongly noninvertible, associative one-way 
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function. Are these protocols secure? This question has two aspects: (1) Are 
they secure under the assumption that strongly noninvertible, associative one-way 
functions indeed exist? (2) What evidence do we have for the existence of such 
functions? 

The first question is an open problem. Security here depends on precisely how 

"strong noninvcrtibility" is defined, and in which model. Traditional complexity 
theory is concerned with the worst-case model and has identified a large number 
of problems that are hard in the worst case. Cryptographic applications, however, 
require the more demanding average-case model (sec, e.g., [Gol01b,Gol99,Lub96]) 
for which much less is known. As noted by Rabi and Sherman [RS97], no proof of 
security for the Rivest-Sherman and Rabi-Sherman protocols is currently known, 
and even assuming the existence of associative one-way functions that are strongly 
noninvertible in the weaker worst-case model would not imply that the protocols are 
secure. In that regard, however, the Rivest-Sherman and Rabi-Sherman protocols 
are just like many other protocols currently used in practical applications. For 
example, neither the Diffie-Hellman protocol nor the RSA protocol currently has 
a proof of security. There are merely heuristic, intuitive arguments about how to 
avoid certain direct attacks. The "security" of the Diffie-Hellman protocol draws 
on the assumption that computing discrete logarithms is hard, and the "security" 
of the RSA protocol draws on the assumption that factoring large integers is hard. 
Breaking Diffie-Hellman is not even known to be as hard as the discrete logarithm 
problem, and breaking RSA is not even known to be as hard as the factoring 
problem. In a similar vein, Rabi and Sherman [RS93,RS97] only give intuitive 
arguments for the security of their protocols, explaining how to employ the strong 
noninvcrtibility of associative one-way functions to preclude certain direct attacks. 

Turning to the second question raised above: What evidence do we have that 
strongly noninvertible, associative one-way functions exist? Assuming P ^ NP, we 
will show how to construct total, strongly noninvertible, commutative,® associative 
one-way functions [HR99]. The question of whether or not P equals NP is perhaps 
the most important question in theoretical computer science. It is widely believed 
that P differs from NP, although this question has remained open for more than 
thirty years now. For more background on complexity theory, we refer to the 
textbooks [BDG95,BC93,HO02,Pap94]. 

5.1 Definitions and Progress of Results 

From now on, we adopt the worst-case notion of one-way functions that is due to 
GroUmann and Selman [GS88], see also the papers by Ko [Ko85], Berman [Ber77], 
and Allender [A1185,A1186], and the surveys [Sel92,BHHR99]. Recall that one-way 
functions are easy to compute but hard to invert. To prevent the notion of non- 
invcrtibility from being trivialized, one-way functions are required to be "honest," 
i.e., to not shrink their inputs too much. Formal definitions of various types of 
honesty can be foimd in [GS88,HRW97,HR00,RH02,HPR01,Hom00,HT02]. 

One-way functions are often considered to be one-argument functions. Since the 
protocols from Section 3.4 require two-argument functions, the original definition 

^Commutativity is needed to extend the Rivest-Sherman and Rabi-Sherman protocols from two 
parties to m > 2 parties. 
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is here tailored to the case of two-ary functions. Let p : N x N ^ N be any two- 
ary function; p may be nontotal and it may be many-to-one. We say that p is 
(polynomial-time) invertible if there exists a polynomial-time computable function 
g such that for all z € miage{p), it holds that p{g{z)) = z; otherwise, we call p not 
polynomial-time invertible, or noninvertible for short. We say that p is a one-way 
function if and only if p is honest, polynomial-time computable, and noninvertible. 
One-argument one-way functions are well-known to exist if and only if P 7^ NP; 
see, e.g., [Sel92,BDG95]. It is easy to prove the analogous result for two-argument 
one-way functions, see [HR99,RS97]. 

We now define strong noninvertibility (strongness, for short). As with noninvert- 
ibility, strongness requires an appropriate notion of honesty so as to not be trivial. 
This notion is called "s- honesty" in [HPROl], and since it is merely a technical 
requirement, we omit a formal definition here. Intuitively, "s-honesty" fits the no- 
tion of strong noninvertibility in that it is measured not only in the length of the 
function value but also in the length of the corresponding given argument. 

Definition 5.1. (see [RS97,HR99]) Let cr : N x N ^ N be any two-ary fimction; 
a may be nontotal and it may be many-to-one. Let (•, •) : N x N ^ N be some 
standard pairing function. 

(1) We say that a is (polynomial-time) invertible with respect to its first argument 
if and only if there exists a polynomial-time computable function gi such that 
for all z S image(c7) and for all a and b with (a, b) G domain((7) and cr(a, b) = z, 
it holds that a{a, gi{{a, z))) = z. 

(2) We say that a is (polynomial-time) invertible with respect to its second argument 
if and only if there exists a polynomial-time computable funtion g2 such that 
for all z e image(0-) and for all a and b with (a, b) G domain(cr) and a{a, b) = z, 
it holds that a{g2{{b,z)),b) = z. 

(3) We say that a is strongly noninvertible if and only if a is neither invertible with 
respect to its first argument nor invertible with respect to its second argument. 

(4) We say that cr is a strong one-way function if and only if a is s-honest, 
polynomial-time compiitable, and strongly noninvertible. 

Below, we define Rabi and Sherman's notion of associativity, which henceforth 
will be called "weak associativity." 

Definition 5.2. [RS93,RS97] A two-ary function a : N x N ^ N is said to be 
weakly associative if and only if a{a, a{b, c)) = a(a{a, 6), c) holds for all a,b,c G N 
for which each of (a, 6), (6, c), {a,a{b,c)), and {a{a,b),c) belongs to the domain 
of a. 

Although this notion is suitable for total functions, weak associativity does not 
adequately fit the nontotal function case. More precisely, weak associativity fails 
to preclude, for nontotal functions, equations from having a defined value to the 
left, while being undefined to the right of their equality sign. Therefore, we present 
in Definition 5.3 below another notion of associativity for two-ary functions that is 
suitable both for total and for nontotal two-ary functions. This definition is due to 
Hemaspaandra and Rothe [HR99] who note that the two notions of associativity 
are provably distinct (see Propositions. 4), and this distinction can be explained 
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(see [HR99]) via Kleene's careful discussion [Kle52, pp. 327-328] of two distinct 
notions of equality for partial functions in recursion theory: "Weak equality" be- 
tween two partial functions explicitly allows "specific, defined function values being 
equal to undefined" as long as the functions take the same values on their joint 
domain. In contrast, "complete equality" precludes this unnatural behavior by ad- 
ditionally requiring that two given partial functions be equal only if their domains 
coincide; i.e., whenever one is undefined, so is the other. Weak associativity from 
Definition 5.2 is based on Kleene's weak equality between partial functions, whereas 
associativity from Definition 5.3 is based on Kleene's complete equality. 

Definition 5.3. [HR99] Let cr : N x N ^ N be any two-ary function; a may be 
nontotal. Define N_l = N U {-L}, and define an extension a: N± x N_l — » N_l of a 



We say that a is associative if and only if, for all a,b,c& N, it holds that 



We say that <j is commutative if and only if, for all a, 6 e N, it holds that 



The following proposition explores the relation between the two associativity 
notions presented respectively in Definition 5.2 and in Definition 5.3. In particular, 

these are indeed different notions. 

Proposition 5.4. [HR99] 

(i) Every associative two-ary function is weakly associative. 

{2) Every total two-ary function is associative exactly if it is weakly associative. 

(5) There exist two-ary functions that are weakly associative, yet not associative. 

Rabi and Sherman [RS93,RS97] showed that P ^ NP if and only if commutative, 
weakly associative one-way functions exist. However, they did not achieve strong 
noninvertibility. They did not achieve totality of their weakly associative one-way 
functions, although they presented a construction that they claimed achieves total- 
ity of any weakly associative one-way function. Hemaspaandra and Rothe [IIR99] 
showed that Rabi and Sherman's claim is unlikely to be true: Any proof of this 
claim would imply that NP = UP, which is considered to be unlikely. Intuitively, 
the reason that Rabi and Sherman's construction is unlikely to work is that the func- 
tions constructed in [RS93,RS97] are not associative in the sense of Definition 5.3. 
In contrast, the Rabi-Sherman construction indeed is useful to achieve totality of 
the associative, strongly noninvertible one-way functions constructed in [IIR99]. 

Thus, Rabi and Sherman [RS93,RS97] left open the question of whether there 
are plausible complexity-theoretic conditions sufficient to ensure the existence of 
total, strongly noninvertible, commutative, associative one-way functions. They 
also asked whether such functions could be constructed from any given one-way 
function. Section 5.2 presents the answers to these questions. 



as follows: 




cr(a, h) if a 7^ _L and 6 7^ -L and (a, h) G domain(0-) 
_L otherwise. 



a{a{a,b),c) = a{a,(T{b,c)). 



a{a,h) = a{b,a). 



ACM Journal Name, Vol. V, No. N, Month 20YY. 



Some Facets of Complexity Theory and Cryptography 



49 



5.2 Creating Strongly Noninvertible, Total, Commutative, Associative One-Way Func- 
tions from Any One-Way Function 

Theorem 5.5 below is the main result of this section. Since P ^ NP is equivalent 
to the existence of one-way functions with no additional properties required, the 
converse of the implication stated in Theorem 5.5 is clearly also true. However, 
we focus on only the interesting implication directions in Theorem 5.5 and in the 
upcoming Theorem 5.7 and Theorem 5.9. 

Theorem 5.5. [HR99] //P 7^ NP then there exist total, strongly noninvert- 
ible, commutative, associative one-way functions. 

A detailed proof of Theorem 5.5 can be found in [HR99], see also the sur- 
vey [BHHR99]. Here, we briefly sketch the proof idea. 

Assume P ^ NP. Let A be a set in NP — P, and let M be a fixed NP machine 
accepting A. Let a; G A be an input accepted by M in time p(|a;|), where p is 
some polynomial. A useful property of NP sets is that they have polynomial-time 
checkable certificates.^ That is, for each certificate z for "x e j4," it holds that: 
(a) the length of z is polynomially bounded in the length of x, and (b) z certifies 
membership of x in A in a way that can be verified deterministically in polynomial 
time. Certif icatesM(a;) denotes the set of all certificates of M on input x. Note 
that Certif icatesM(a;) is nonempty exactly ii x € A. 




Fig. 17. The three-coloring ijj of graph G. 

Example 5.6. For concreteness, consider Graph-Three-Colorability, a well- 
known NP-complete problem that asks whether the vertices of a given graph can 
be colored with three colors such that no two adjacent vertices receive the same 
color. Such a coloring is called a legal three-coloring. In other words, a legal three- 
coloring is a mapping t/j from the vertex set of G to the set of colors (RED, GREEN, 

Other common names for "certificate" are "witness" and "proof" and "solution." 
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BLUE) such that the resulting color classes are independent sets. Figure 17 gives 
an example. 

The standard NP machine for Graph-Three-Colorability works as follows: 
Given a graph G, nondeterministically guess a three-coloring ijj of G (i.e., a par- 
tition of the vertex set of G into three color classes) and check deterministically 
whether tp is legal. 

Any legal three-coloring of G is a certificate for the three-colorability of G 
(with respect to the above NP machine). For the specific graph from Figure 17, 
one certificate V' is specified by the three color classes ■i/'"'^ (GREEN) = {a,g}, 
V'-HRED) = {c,f,h}, and V'-^BLUE) = {b,d,e}. 

As is standard, graphs as well as three-colorings can be encoded as binary strings 
that represent nonnegative integers. 

Suppose that for each x Cz A and for each certificate z for "x G A,'' it holds that 
\z\ = p{\x\) > \x\. This is only a technical requirement that makes it easy to tell 
input strings apart from their certificates. For any integers u,v,w ^ N, let min(u, v) 
denote the minimum of u and v. and let min(?i, v. w) denote the minimum of u, v, 
and w. Define a two-ary function a : N x N ^ N as follows: 

— If a = {x,zi) and b = {x,Z2) for some x G A with certificates zi,Z2 S 
Certif icatesM(a;) (where, possibly, Zi = Z2), then define <j{a,h) = 

(a;,min(zi,Z2)); 

— if there exists some x G A with certificate z € Certif icatesM(a;) such that either 
a = {x, x) and b= {x,z), or a = {x, z) and b = {x, x), then define a{a, b) = {x, x); 
— otherwise, a{a, b) is undefined. 

What is the intuition behind the definition of cr? The number of certificates 
contained in the arguments of a is decreased by one in a way that ensures the 
associativity of a. Moreover, a is noninvertible, and it is also strongly noninvertible. 
Why? The intuition here is that, regardless of whether none or cither one of its 
arguments is given in addition to cr's function value, the inversion of a requires 
information about the certificates for elements of A. However, our assumption that 
A guarantees that this information cannot efficiently be extracted. 

One can show that a is a commutative, associative one-way function that is 
strongly noninvertible. We will show associativity and strongness below. Note that 
a is not a total function. However, a can be extended to a total function without 
losing any of its other properties already established [HR99]. 

We now show that a is strongly noninvertible. For a contradiction, suppose there 
is a polynomial-time computable inverter, (72, for a fixed second argument. Hence, 
for each w G image(c7) and for each second argument b for which there is an a G N 
with a{a, b) = w, it holds that 

a{g2{{b,w)),b) = w. 

Then, contradicting our assumption that A ^P, one could decide A in polynomial 
time as follows: 

On input x, compute g2{{{x,x), {x,x))), compute the integers d and e 
for which {d,e) equals g2{{{x,x),{x,x))), and accept x if and only if 
d = X and e G Certif icatesM(a;). 
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Hence, <j is not invertible with respect to its second argument. An analogous 
argument shows that a is not invertible with respect to its first argument. Thus, a 
is strongly noninvertible. 

Next, we prove that a is associative. Let a be the total extension of a as in 
Definition 5.3. Fix any three elements of N, say a = (ai,a2), h = (61,62)) and 
c = (ci, C2). To show that 

a{a{a,b),c) = a{a,a{b,c)) (5-17) 
holds, distinguish two cases. 

Case 1:. Oi = 61 = Ci and {02, 62) C2} Q Wi} U Certif icatesM(ai). 
Let x,y G {a, b, c} be any two fixed arguments of a. As noted above, if x and y 
together contain i certificates for "ai G A" where i E {1, 2}, then a{x, y) — and thus 

also ct(x, y) — contains exactly max{0, « — 1} certificates for "oi e A." In particular, 

cr(x,y) preserves the minimum certificate if both x and y contain a certificate for 
"ai e A." 

If exactly one of x and y contains a certificate for "ai e A" then a{x,y) = 
(ai,oi). 

If none of x and y contains a certificate for "ai e A," then a{x, y) is undefined, 

so ct{x, y) = _L. 

Let A; < 3 be a number telling us how many of 02. 62- ^mcl C2 belong to 
Certif icatesM(ai). For example, if 02 = 62 = C2 G Certif icatesM(oi) then 
k = 3. Consequently: 

— If fc < 1 then both a{a{a, b), c) and a{a, a{b, c)) equals _L. 
— If k = 2 then both a-(a-{a,b),c) and (T(a, (t(6, c)) equals (ai,ai). 
— If fc = 3 then both <j(a-(a, b), c) and (j{a, a-(b, c)) equals (oi, min(a2, 62, C2)). 
In each of these three cases. Equation (5.17) is satisfied. 
Case 2:. Suppose Case 1 is not true. 

Then, either it holds that ai ^ 61 or ai 7^ ci or 61 7^ ci, or it holds that 
ai = 61 = Ci and {02,62,02} is not contained in {a\} U Certif icatesM(ai)- By 
the definition of cr, in both cases it follows that 

(T((T(a, 6), c) = _L = (T(a, ct(6, c)), 

which satisfies Equation (5.17) and concludes the proof that u is associative. 

Finally, we mention some related results of Chris Homan [HomOO] who studied 
upper and lower bounds on the ambiguity of associative one-way functions. In 
particular, extending Rabi and Sherman's [RS97] result that no total, associative 
one-way function is injective, he proved that no total, associative one-way function 
can be constant-to-one. He also showed that, under the plausible assumption that 
P ^ UP, there exist linear-to-one, total, strongly noninvertible, associative one-way 
functions. 

On a slightly less related note, Homan and Thakur [HT02] recently proved that 
one-way permutations (i.e., one-way functions that are total, one-to-one, and onto) 
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exist if and only if P 7^ UP fl coUP. This result gives a characterization of one- 
way permutations in terms of a complexity class separation, and thus the ultimate 
answer to a question studied in [GS88,HRW97,HR00,RH02]. 

5.3 If P 7^ NP then Some Strongly Noninvertible Functions are Invertlble 

Is every strongly noninvertible function noninvertible? Hemaspaandra, Pasanen, 
and Rothe [HPROl] obtained the surprising result that if P 7^ NP then this is 
not necessarily the case. This result shows that the term "strong noninvertibility" 
introduced in [RS93,RS97] actually is a misnomer, since it seems to suggest that 
strong noninvertibility always implies noninvertibility, which is not true. 

Theorem 5.7. [HPROl] //P 7^ NP then there exists a total, honest two-ary 
function that is strongly one-way but not a one-way function. 

We give a brief sketch of the proof. Assume P ^ NP. Then, there exists a total 
two-ary one-way function, call it p. For any integer n e N, define the notation 

odd(n) = 2n -h 1 and even(n) = 2n. 

Define a function cr : N x N ^ N as follows. Let a,b G N he any two arguments 
of a. 

— If a Q b, a = {x,y) is odd, and b is even, then define a{a, b) = even(p(a;, y)). 
— If a ^ ^ b, a is even, and b = {x, y) is odd, then define cr(a, 6) = even(p(a;, y)). 
— If a^Q ^b, and a is odd if and only if b is odd, then define cr(a, 6) = odd(a -|- b). 

— If a = or & = 0, then define (7(0, b) — a + b. 

We claim that a is strongly noninvertible. For a contradiction, suppose a were 
invertible with respect to its first argument via an inverter, gi. By the definition 
of cr, for any z G image(/9) with -2 7^ 0, the function gi on input (2,even(z)) yields 
an odd integer b from which we can read the pair {x,y) with p{x,y) = z. Hence, 
using gi, one could invert p in polynomial time, a contradiction. Thus, a is not 
invertible with respect to its first argument. Analogously, one can show that a 
is not invertible with respect to its second argument. So, a indeed is strongly 
noninvertible. 

But a is invertible! By the fourth line in the definition of a, every z in the image 
of a has a preimage of the form (0, z). Thus, the function g defined by g{z) = (0, z) 
inverts cr in polynomial time. Hence, a is not a one-way function. 

Why don't we use a different notion of strongness that automatically implies 
noninvertibility? Here is an attempt to redefine the notion of strongness accordingly, 
which yields a new notion that we will call "over strongness." 

Definition 5.8. [HPROl] Let cr : N x N ^ N be any two-ary function; cr may 
be nontotal and it may be many-to-one. We say that cr is overstrong if and only if 
no polynomial-time computable function / with / : {1, 2} x N x N ^ N x N satisfies 
that for each i G {1, 2} and for each z,a gN: 

{{3b e N)[(c7(a, b)=z Ai=l)V {a{b, a)=z Ai = 2)]) => a{f{i, z, a)) = z. 

Note that overstrongness implies both noninvertibility and strong noninvertibil- 
ity. However, the problem with this new definition is that it completely loses the 
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core of why strongness precludes direct attacks on the Rivest-Sherman and Rabi- 
Sherman protocols protocols. To see why, look at Figure 10 and Figure 11, which 
give the protocols of Rabi, Rivcst, and Sherman. In contrast to ovcrstrongness, 
Rabi, Rivest, and Sherman's original definition of strong noninvertibility (see Defi- 
nition 5.1) respects the argument given. It is this feature that precludes Erich from 
being able to compute Alice's secret x from the transmitted values (j{x,y) and y, 
which he knows. In short, overstrongness is not well-motivated by the protocols of 
Rabi, Rivest, and Sherman. 

Wc mention without proof some further results of Hemaspaandra, Pasanen, and 
Rothc [HPROl]. 

Theorem 5.9. [HPROl] 

{1) IfP^ NP then there exists a total, honest, s-honest, two-ary over strong func- 
tion. Consequently, if P ^ NP then there exists a total two-ary function that 
is both one-way and strongly one-way. 

{2) //P 7^ NP then there exists a total, s-honest two-ary one-way function a such 
that a is invertible with respect to its first argument and a is invertible with 
respect to its second argument. 

(5) IfV ^ NP then there exists a total, s-honest two-ary one-way function that is 
invertible with respect to either one of its arguments (thus, it is not strongly 
one-way), yet that is not invertible with respect to its other argument. 

{4) IfP^ NP then there exists a total, honest, s-honest two-ary function that is 
noninvertible and strongly noninvertible but that is not overstrong. 
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